b'Audit\nReport\nCONTROLS OVER THE COMPUTERIZED ACCOUNTS PAYABLE SYSTEM AT\n    DEFENSE FINANCE AND ACCOUNTING SERVICE KANSAS CITY\n\n\nReport No. D-2002-008                      October 19, 2001\n\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nCAPS(W)               Computerized Accounts Payable System for Windows\nCAGE                  Contractor Activity Government Entity\nC.F.R.                Code of Federal Regulations\nDFARS                 Defense Federal Acquisition Regulation Supplement\nDFAS                  Defense Finance and Accounting Service\nDISA                  Defense Information Security Agency\nDPPS                  Defense Procurement Payment System\nDUNS                  Data Universal Numbering System\nEFT                   Electronic Funds Transfer\nFAR                   Federal Acquisition Regulation\nFSD                   Financial Systems Directorate\nGAO                   General Accounting Office\nOMB                   Office of Management and Budget\nPPA                   Prompt Payment Act\n\x0c\x0c                       Office of the Inspector General, DoD\nReport No. D-2002-008                                               October 19, 2001\n  (Project No. D2000FI-0248)\n\n      Controls Over the Computerized Accounts Payable System at\n         Defense Finance and Accounting Service Kansas City\n\n                               Executive Summary\n\nIntroduction. Serious internal control weaknesses have been reported over the years in\nDoD payment processes and systems. The Defense Finance and Accounting Service\n(DFAS) Kansas City used the Computerized Accounts Payable System for Windows\n(CAPS[W]) to make vendor payments to Marine Corps customers. During FY 2000,\n75,861 vendor payments, valued at $1.2 billion, were made for Marine Corps\ncustomers using CAPS(W). On April 1, 2001, the Director, DFAS, capitalized all\ncommercial payment resources under the Director, Commercial Pay Services. This is\nthe first in a series of audit reports addressing the controls over the Computerized\nAccounts Payable System.\n\nObjectives. Our objectives were to evaluate the controls associated with making\npayments using the Computerized Accounts Payable System and progress in\ntransitioning to the Defense Procurement Payment System. This report focuses on the\ncontrols associated with making vendor payments. We also evaluated the effectiveness\nof the management control program as it related to making vendor payments using the\nComputerized Accounts Payable System.\n\nResults. DFAS Kansas City took actions to systematically segregate access within\nCAPS(W). However, two systems management personnel had unrestricted access to\nCAPS(W) and other system users performed functions that required further segregation.\nWhen coupled with other system deficiencies and control weaknesses, CAPS(W) was\nvulnerable to improper and unauthorized use (finding A).\n\nDFAS Kansas City made 17,983 payments from May 1 through July 31, 2000, and\napproximately 16,605 of these payments did not meet all the documentation or other\nrequirements imposed by OMB regulations implementing the Prompt Payment Act.\nThe fact that a payment was not supported did not mean that the payment was invalid or\nfraudulent, but indicated management\xe2\x80\x99s failure to enforce the requirements necessary\nfor proper support. As a result, DFAS and Marine Corps managers assumed an\nincreased risk that payments were not being made in compliance with the Prompt\nPayment Act and that improper payments may have been made (finding B).\n\nThe structure and business practices of the vendor payment office at DFAS Kansas City\ndid not provide efficient and effective controls over vendor payments. As a result,\nDFAS Kansas City did not ensure that improperly supported and erroneous payments\n\x0cwould be detected and corrected before payment (finding C). See Appendix A for\ndetails on the management control program as it relates to controls over vendor\npayments.\n\nSummary of Recommendations. We recommend that the Under Secretary of Defense\nfor Acquisition, Technology, and Logistics, require the use of DD Form 250,\n\xe2\x80\x9cMaterial Inspection and Receiving Report,\xe2\x80\x9d as the primary means for documenting\nreceipt and acceptance of goods and services. We recommend that the Director,\nCommercial Pay Services, develop compensating controls and change the business\nstructure and practices at DFAS Kansas City for making payments using CAPS(W).\nWe also recommend the removal of remote access to update and certify information in\nCAPS(W). We also recommend that the Director, Commercial Pay Services, issue\ninterim guidance that discontinues exceptions to the requirements for a proper invoice,\nspecifies what a receiving report must contain to properly support a payment, and\nstandardizes the rules for making properly supported miscellaneous payments. We\nrecommend that the Director, Commercial Pay Services, in conjunction with the\nMarine Corps, develop stringent procedures for accepting invoice receipt dates affixed\noutside the payment office, return all invoices to vendors that do not meet payment\nrequirements, and issue guidance to Marine Corps activities identifying the standards\nfor proper receipt and acceptance of goods and services. We recommend that the\nDeputy Chief of Staff for Installations and Logistics, Marine Corps, ensures that all\ncontracting documents provide the information necessary for making proper payments.\n\nManagement Comments. The Director, Defense Procurement, concurred with the\nrecommendation to require the use of DD Form 250 as the primary means of\ndocumenting receipt and acceptance. The Director, Commercial Pay Services, agreed\nto develop a standard business structure and more stringent procedures for accepting\ninvoice receipt dates, returning invoices, and entering data into CAPS(W). The\nDirector, Commercial Pay Services, also agreed to review system access profiles to\nensure that they properly segregate duties. The Director, Commercial Pay Services,\npartially agreed with the need to provide guidance and training to Marine Corps\nactivities on receiving reports, improve certification of payments, perform more\nfrequent post-payment reviews, and provide interim guidance on requirements for\nproper invoices and receiving reports. The Director, Commercial Pay Services, did not\nagree with the need to remove remote access from Marine Corps activities. The\nMarine Corps did not provide comments to the draft of the final report. See the\nFinding section of the report for a discussion of management comments and the\nManagement Comments section for a complete text of the comments.\n\nAudit Response. Comments from the Director, Defense Procurement, were\nresponsive. We request that the Director, Defense Procurement, provide an estimated\ncompletion date for the corrective action. Comments from the Director, Commercial\nPay Services, were generally responsive. We request that the Director, Commercial\nPay Services, reconsider her position on the need to remove access from Marine Corps\nactivities until CAPS(W) can provide proper segregation of duties and security over\nremotely entered data. We request that Director, Defense Procurement; DFAS; and the\nMarine Corps provide comments on the final report by December 19, 2001.\n\n\n\n                                           ii\n\x0cTable of Contents\n\nExecutive Summary                                                             i\n\nIntroduction\n     Background                                                               1\n     Objectives                                                               2\n\nFindings\n     A. System Access Controls                                                3\n     B. Documentation Supporting Vendor Payments                             12\n     C. Vendor Payment Office Structure and Practices                        26\n\nAppendixes\n     A. Audit Process\n          Scope                                                              36\n          Methodology                                                        36\n          Management Control Program Review                                  37\n     B. Prior Coverage                                                       39\n     C. Statistical Sampling Methodology                                     40\n     D. Guidance on Supporting Documentation                                 43\n     E. Report Distribution                                                  48\n\nManagement Comments\n     Under Secretary of Defense for Acquisition, Technology, and Logistics   51\n     Defense Finance and Accounting Service                                  53\n\x0cBackground\n    Vendor Payments. Vendor payments are made for operational support such as\n    utilities, medical services, and administrative supplies and services. The current\n    vendor payment process depends on the receipt of various hard-copy documents.\n    As a general rule, payments must be supported by an obligating document\n    (contract, purchase order, or other document obligating DoD to pay for goods\n    or services), an invoice, and a receiving report. For most payments made for\n    Marine Corps customers, technicians at Defense Finance and Accounting\n    Service (DFAS) Kansas City, Kansas City, Missouri, review supporting\n    documents for accuracy and completeness. The information is entered into the\n    Computerized Accounts Payable System for Windows (CAPS[W]) to create a\n    payment voucher, which is then approved for payment by a certifying official.\n    Certifying officers should compare the payment vouchers to the supporting\n    invoices, receiving reports, and contract or obligation documents to ensure the\n    accuracy of the payment information before disbursement. For utility payments,\n    DFAS Kansas City transferred the function of reviewing documents and\n    certifying payments to Marine Corps installations. Following certification, the\n    payment information is loaded into the disbursing system. The disbursing\n    system uses the payment transactions generated by CAPS(W) to make\n    disbursements.\n\n    Inspector General, DoD, Report. At the request of Senator Charles E.\n    Grassley, the Inspector General, DoD, audited the results of the actions taken\n    within the Air Force vendor payment network to correct problems previously\n    reported. Inspector General, DoD, Report No. D-2000-139, \xe2\x80\x9cControls Over\n    the Integrated Accounts Payable System,\xe2\x80\x9d June 5, 2000, reported that\n    DFAS Denver, Denver, Colorado, established systematic controls to segregate\n    duties and reduced access to the Integrated Accounts Payable System, the\n    system used to process Air Force payments. However, DFAS Denver needed to\n    reassess the system access given to users, especially those outside their field\n    sites. Giving more people access than was necessary increased the risk of\n    unwarranted and unauthorized access and the likelihood that unsupported and\n    improper payments would be made. Other system weaknesses contributed to\n    unauthorized Integrated Accounts Payable System access and the ability to\n    circumvent payment of interest to vendors as required by the Prompt Payment\n    Act (PPA).\n\n    Automated System for Making Marine Corps Vendor Payments. DFAS\n    Kansas City is responsible for the accounting, disbursing, collecting, and\n    financial reporting of the Marine Corps. DFAS Kansas City uses CAPS(W) to\n    process Marine Corps vendor payments. The system computes the payment due\n    dates, payment amounts, and interest payments. CAPS(W) receives data from\n    manual sources and from interfaces with automated systems such as the standard\n    procurement system. CAPS(W) uses both automated and manual controls to\n    maintain accurate and complete data. DFAS originally planned to replace\n    CAPS(W) at DFAS Kansas City with the Defense Procurement Payment System\n    (DPPS) in December 2001. However, the implementation date has slipped and\n    a revised date had not been set.\n\n\n\n\n                                        1\n\x0c     Realignment of Vendor Payment Operations. On March 29, 2001, the\n     Director, DFAS, announced the capitalization of all commercial payment\n     resources under the Commercial Pay Business Line. The Director, Commercial\n     Pay Services, is responsible for the commercial pay business line. This business\n     line is comprised of two product lines (contract pay and vendor pay). The\n     Vendor Pay Product Line encompasses entitlement determination for contracts\n     not administered by Defense Contract Management Agency, transportation\n     payments, and miscellaneous payments to businesses and individuals. All\n     vendor payment functions at DFAS Kansas City have been realigned under the\n     U.S. Marine Corps and Defense Agency Support Directorate of the Vendor Pay\n     Product Line.\n\nObjectives\n     Our objectives were to evaluate the controls associated with making payments\n     using the CAPS and progress in transitioning to DPPS. This report focuses on\n     the controls associated with making vendor payments. We also evaluated the\n     effectiveness of the management control program as it related to making vendor\n     payments using CAPS. See Appendix A for a discussion of the audit scope and\n     methodology and our review of the management control program. See\n     Appendix B for a summary of prior coverage.\n\n\n\n\n                                        2\n\x0c           A. System Access Controls\n           DFAS Kansas City took actions to systematically segregate access within\n           CAPS(W). However, systems management personnel had unrestricted access\n           to CAPS(W) and other system users performed functions that required further\n           segregation. This occurred because:\n\n                   \xe2\x80\xa2   access profiles were not centrally developed and controlled,\n\n                   \xe2\x80\xa2   access profiles did not fully segregate user functions, and\n\n                   \xe2\x80\xa2   remote user access was not monitored.\n\n           When coupled with other system deficiencies and control weaknesses,\n           CAPS(W) was vulnerable to improper and unauthorized use.\n\nDirection and Guidance\n    In August 1998, the Director, DFAS, directed all DFAS vendor payment offices to\n    perform a comprehensive review of the segregation of duties within their vendor\n    payment systems. In General Accounting Office (GAO) Report\n    No. GAO/AIMD-98-274, \xe2\x80\x9cImprovements Needed in Air Force Vendor Payment\n    Systems and Controls,\xe2\x80\x9d September 28, 1998, GAO recommended that the Director,\n    DFAS, strengthen payment processing controls by establishing separate\n    organizational responsibilities for entering payment data and revising vendor\n    payment access levels to correspond with the new structure. GAO Report No.\n    GAO/AIMD-00-21.3.1, \xe2\x80\x9cStandards for Internal Control in the Federal\n    Government,\xe2\x80\x9d November 1, 1999, requires access restrictions and segregation of\n    key duties in authorizing, processing, recording, and reviewing transactions.\n\nDFAS Kansas City Databases\n    Main Database. DFAS Kansas City maintained two separate CAPS(W) databases\n    for making Marine Corps vendor payments. DFAS Kansas City vendor payment\n    personnel used one database to make a majority of the Marine Corps payments. As\n    of October 30, 2000, access to this database was granted to 61 DFAS Kansas City\n    vendor payment personnel and 19 Financial Systems Directorate (FSD) personnel at\n    DFAS Indianapolis. The FSD personnel provide system maintenance and support\n    functions for CAPS(W) users. The ability to update data within CAPS(W) and\n    inquire about the status of payments is controlled by access profiles.\n\n    Database for Making Utility Payments. DFAS Kansas City created a second\n    database to allow for the payment of utility bills by personnel at 13 Marine Corps\n    installations. Utility companies submitted electricity, gas, water, and sewer bills. In\n    February 2000, DFAS Kansas City issued guidance stating that remote users would\n    be allowed to process utility payments directly in CAPS(W). Access to the second\n    database was granted to 44 Marine Corps personnel at the 13 installations and\n    2 individuals assigned to the DFAS Kansas City systems office. Each person had the\n    ability to process the information needed to make payments. Remote users entered\n\n\n                                           3\n\x0c    the information supporting the payment (obligation document, invoice, and receiving\n    report) into CAPS(W), certified the payment, and then sent DFAS Kansas City a\n    signed voucher worksheet. DFAS Kansas City personnel compared the signature on\n    the voucher worksheet to a signature card on file and the payment was uploaded to\n    the disbursing system.\n\nSystem Access to the Main Database\n    In January 2000, DFAS Kansas City significantly improved the segregation of duties\n    within the vendor payment office by separating the functional capabilities assigned to\n    12 access profiles. Access was divided by the ability to enter invoice and receipt\n    data, purchase order information, vendor maintenance data, data needed to make\n    miscellaneous payments, and the ability to certify payments. Table 1 shows each of\n    the 12 access profiles for the 80 personnel granted access to the database used to\n    make the majority of the Marine Corps payments. The table also identifies the\n    functional capabilities associated with each access profile.\n\n\n\n\n                                          4\n\x0c                   Table 1. Access to Main DFAS Kansas City Database\n\n                                                       Functional Capability\n               Number of      Invoice and    Miscellaneous      Purchase         Vendor\n     Profile   Individuals     Receiving      Payments           Order          Maintenance       Certify\n                                Reports                        Maintenance\nAll                 2             All1         Accessible2          All              All         Accessible\n\nCitibank3           5              All         Accessible           All             None           None\n\nCitibank            1\nLead                            Inquiry4          None            Inquiry          Inquiry       Accessible\n\nContract            6\nInput                           Inquiry           None              All              All           None\n\nExaminer 1          20             All         Accessible         Inquiry          Inquiry         None\n\nFinancial           1           Inquiry           None            Inquiry          Inquiry         None\nAnalyst\n\nFSD                 18             All         Accessible           All            Inquiry         None\nSupport\n\nLead                5           Inquiry           None            Inquiry          Inquiry       Accessible\n\nLead 1              1           Inquiry           None            Inquiry          Inquiry       Accessible\n\nRead Only           19           None             None             None             None           None\n\nReports             1            None             None            Inquiry          Inquiry         None\n\nSupport             1           Inquiry           None              All              All           None\nTeam\nLeader\n\n\n1. \xe2\x80\x9cAll\xe2\x80\x9d means the ability to add, delete, inquire, and update within a function.\n2. Related to the Miscellaneous Payments function, \xe2\x80\x9caccessible\xe2\x80\x9d means the ability to enter all the data for\n   processing a miscellaneous payment. Related to the Certify function, \xe2\x80\x9caccessible\xe2\x80\x9d means the ability to\n   certify the payment in CAPS(W).\n3. The Citibank profile allows technicians to enter information related to credit card accounts.\n4. \xe2\x80\x9cInquiry\xe2\x80\x9d means that the function can only be inquired.\n\n\n\n\n          Access Profiles. Despite the efforts taken by DFAS Kansas City to segregate access\n          within CAPS(W), duties were still not properly segregated. In addition, the ability\n\n\n                                                       5\n\x0cto delete data in CAPS(W) was not adequately controlled and the miscellaneous\npayment function was not restricted to nonrecurring payments. The Director,\nCommercial Pay Services, should establish standard access profiles for use\nthroughout the CAPS(W) network. As discussed in finding C, the access profiles\nshould complement the business structure developed for vendor payment offices. In\nthe interim, improved controls over system access are essential to reduce the risk\nthat the data in CAPS(W) are manipulated to circumvent PPA requirements or to\nmake fraudulent payments.\n\n        System and FSD Support. Two individuals within the systems office at\nDFAS Kansas City had unrestricted system access and 18 FSD personnel were\ninappropriately granted the ability to add, update, and delete operational data within\nthe database. After we discussed our concerns about the access granted to systems\nmanagement personnel, DFAS Kansas City deleted the \xe2\x80\x9cAll\xe2\x80\x9d profile and created a\nnew \xe2\x80\x9cSystems Admin\xe2\x80\x9d profile. The new profile removed the ability to certify\npayments but continued to allow them to add, update, and delete operational data\nsuch as purchase order information, invoices, and receiving reports. The \xe2\x80\x9cFSD\nSupport\xe2\x80\x9d profile granted 18 FSD personnel at DFAS Indianapolis with the ability to\nupdate operational data within CAPS(W). Systems management personnel stated\nthat the access granted the \xe2\x80\x9cSystems Admin\xe2\x80\x9d and \xe2\x80\x9cFSD Support\xe2\x80\x9d profiles was\nneeded to assist technicians with troubleshooting problems in CAPS(W). However,\nthey could not justify why these capabilities were required on a continuous basis.\nWe believe that systems management personnel should not have uncontrolled update\naccess to the operational database for indefinite periods of time. If they require\naccess to troubleshoot an operational problem, systems management personnel\nshould perform these actions in a test database or they should only be given access\nfor the period of time needed to correct the problem.\n\n        Proper Access Documentation. The 18 FSD personnel were granted access\nto CAPS(W) without completing DISA (Defense Information Security Agency)\nForm 41, \xe2\x80\x9cSystem Authorization Access Request,\xe2\x80\x9d and receiving the approval of the\non-site database administrator and functional manager at DFAS Kansas City. Each\nDISA Form 41 should specify the level of access granted and indicate that systems\nmanagers approved the access. A DISA Form 41 was not on file at DFAS Kansas\nCity for any of the 18 FSD personnel.\n\n       Vendor Maintenance. DFAS Kansas City granted too many users the ability\nto update vendor maintenance tables and provided those with this access the ability to\nupdate other vendor payment information. Only a limited number of individuals\nshould be allowed to update the vendor maintenance tables containing Electronic\nFunds Transfer (EFT) and check remittance information. However, these\nindividuals should not be able to alter any of the other payment data or certify the\npayment. The nine individuals with the \xe2\x80\x9cAll,\xe2\x80\x9d \xe2\x80\x9cContract Input,\xe2\x80\x9d and \xe2\x80\x9cSupport\nTeam Leader\xe2\x80\x9d profiles could update the vendor maintenance tables. They could also\nadd, update, or delete purchase order data. The two individuals in the \xe2\x80\x9cAll\xe2\x80\x9d profile\ncould also add, update, and delete invoice and receipt data and certify a payment.\nThe ability to update vendor maintenance tables should be limited. For example, the\n\n\n\n\n                                       6\n\x0cvendor payment offices that used the Integrated Accounts Payable System\nlimited access to no more than three people, and these people did not have the\nability to update any other type of vendor payment information.\n\n        Deletion of Records. The ability to delete data in CAPS(W) was not\nadequately controlled. Individuals with the functional capability to add, inquire,\nand update invoices and receiving reports; perform purchase order maintenance;\nand maintain vendor information could also delete that information from\nCAPS(W). The ability to delete data was not separated from the ability to add,\ninquire, and update data in the profiles established by DFAS Kansas City. Only\na limited number of individuals should have the ability to delete data from\nCAPS(W). This ability should be restricted to either the supervisors of the\naccounts payable section or the senior staff accountant in the vendor payment\noffice. Further, a proper audit trail should be developed and maintained of all\ndata removed from the system. For example, DFAS St. Louis, St. Louis,\nMissouri, had limited the ability to delete records to only the staff accountants\nworking within the vendor payment office. Before data were removed from\nCAPS(W), a technician provided a staff accountant with documentation\nexplaining why the data required removal. The documentation was maintained\nand compared to the CAPS(W) report, \xe2\x80\x9cDeleted Records Report,\xe2\x80\x9d to validate\nthat data were removed properly. The ability to delete data from CAPS(W)\nshould be better controlled in order to limit the risk that interest penalties are\navoided by removing old documents from the system and calculating new\npayment due dates.\n\n        Miscellaneous Payments. DFAS Kansas City should limit the number\nof individuals granted the miscellaneous payments function and restrict the use\nof the function to only specific types of miscellaneous payments. DFAS Kansas\nCity granted 45 individuals with the ability to enter all the data (invoice, receipt,\nobligation, and vendor remittance data) for entitling a miscellaneous payment.\nThe function was created to expedite the entry of data for making miscellaneous\npayments. Twenty of the 45 individuals were systems management personnel\nwho had been assigned the \xe2\x80\x9cFSD Support\xe2\x80\x9d and \xe2\x80\x9cAll\xe2\x80\x9d access profiles. Twenty\nvoucher examiners also had this functional capability. As previously discussed,\nsystems management personnel should not routinely have the ability to process\nthe information necessary to make vendor payments. Because of the extensive\ncapability granted the miscellaneous payments function, no more than five\nindividuals assigned the \xe2\x80\x9cExaminer 1\xe2\x80\x9d access profile should be granted this\nfunction. Most of the 30 different types of miscellaneous payments that DFAS\nKansas City made were less than $2,500 and were often not individually\nreviewed and certified before they were made. The use of the miscellaneous\npayments function should usually be limited to one-time payments, such as legal\nclaims. Recurring payments, such as utility payments, should be established in\nCAPS(W) as contract payments so that more than one individual would be\nresponsible for entering the data for entitling the payments.\n\n\n\n\n                                      7\n\x0cRemote Access\n    Allowing personnel at Marine Corps installations to remotely enter and certify\n    payment data was risky because CAPS(W) did not limit access within the\n    database. CAPS(W) did not prevent system users at Marine Corps installations\n    from updating data and certifying payments of other installations. In addition,\n    DFAS Kansas City had not established appropriate compensating controls to\n    ensure the integrity of the remotely entered data.\n\n            Segregating Duties of Remote Users. CAPS(W) did not restrict access\n    within a database. An individual given the ability to add, update, or delete\n    information could alter entitlement information for any organization in the\n    database. A certification official could certify any payment in the database. For\n    example, the two individuals in the systems office at DFAS Kansas City could\n    enter, update, and delete payment data and certify all payments in the database.\n    Consequently, the data entered by the 13 Marine Corps installations were not\n    secure and could be altered by anyone with similar access. The installations\n    attempted to segregate duties by requiring that different individuals enter the\n    data and certify the payment. Specifically:\n\n           \xe2\x80\xa2   25 individuals could enter, update, and delete invoices, receiving\n               reports, purchase order data, and vendor remittance information.\n               These 25 individuals could update or delete any information in the\n               database.\n\n           \xe2\x80\xa2   19 individuals could certify payments. Although DFAS Kansas City\n               had signature cards and appointment letters on file for each of these\n               individuals, CAPS(W) allowed certification officials to certify any\n               payment in the database.\n\n            A system change to CAPS(W) had been requested in February 1998 that\n    would have restricted the ability of remote users to access only the information\n    related to their organization. However, the system change was not made\n    because of its cost and the anticipated fielding of DPPS. DFAS plans to field\n    DPPS at DFAS Kansas City in December 2001. However, the date slipped and\n    a revised date had not been set. Unless compensating controls are in place to\n    ensure that unauthorized changes to payment information are prevented or\n    immediately identified and corrected, people outside the paying office should\n    not have the ability to change the information in CAPS(W). The access granted\n    the 2 individuals in the systems office at DFAS Kansas City should be removed,\n    and the access of the 25 individuals should be segregated. One individual\n    should not be able to enter, update, and delete invoices and receiving reports;\n    perform purchase order maintenance; and maintain vendor remittance\n    information.\n\n            Compensating Controls. DFAS Kansas City had not established a\n    memorandum of understanding with each of the 13 Marine Corps installations\n    that identified the specific types of payments that could have been processed in\n    the database, requirements for properly supporting payments, and procedures\n    for retaining documents supporting payments. Although DFAS Kansas City had\n    the ability to delete any transaction from the upload to the disbursing system,\n\n\n                                        8\n\x0c           DFAS Kansas City had not established other compensating controls to ensure\n           that individuals were not inappropriately altering data within the database and\n           that the payments were proper. DFAS Kansas City was not monitoring the\n           system to ensure that only appropriately authorized individuals were entering,\n           altering, and deleting information supporting payments and certifying payments.\n           At a minimum, an audit trail should be established and periodically reviewed to\n           detect changes to entitlement data. DFAS Kansas City should also periodically\n           perform a detailed review of the types of payments that are entered remotely and\n           the support for them. Remote access to update and certify information in\n           CAPS(W) should be removed until such time as CAPS(W) can be changed,\n           replaced, or adequate compensating controls developed and implemented.\n\nCAPS(W) System Concerns\n           DFAS Kansas City reported as a material weakness in its FY 2000 Annual\n           Statement of Assurance, dated October 25, 2000, that access controls within\n           CAPS(W) were inadequate. Specifically, the FY 2000 Annual Statement of\n           Assurance reported that:\n\n                   \xe2\x80\xa2    individuals assigned to DFAS Kansas City systems management\n                        office had a global (\xe2\x80\x9cAll\xe2\x80\x9d) access that allowed them to perform\n                        functions that could result in fraudulent payments that would be\n                        difficult or impossible to detect,\n\n                   \xe2\x80\xa2    DFAS Kansas City systems management office personnel could\n                        self-assign and modify access capabilities, and\n\n                   \xe2\x80\xa2    FSD personnel at DFAS Indianapolis could manipulate databases\n                        without proper audit trails and control by the DFAS Kansas City\n                        systems management office.\n\n           DFAS Kansas City concluded that because it did not have control of CAPS(W),\n           the problems needed to be resolved by DFAS Arlington.* We agree that system\n           changes were outside the control of DFAS Kansas City. However, DFAS\n           Kansas City could have eliminated the access granted by the \xe2\x80\x9cAll\xe2\x80\x9d profile and\n           developed compensating controls to monitor the changes made by systems\n           management personnel.\n\nSummary\n           DFAS Kansas City did not sufficiently segregate access within CAPS(W) and\n           limit the number of users who could update the vendor maintenance tables, enter\n           miscellaneous payments, and delete information in CAPS(W). Systems\n           management personnel should not have universal system access. Users granted\n           access to CAPS(W) should properly complete access forms to include approvals\n           by the functional manager and database administrator. Standard user profiles\n           for CAPS(W) should be developed that fully consider the need to standardize the\n\n*\n    DFAS Arlington is the site of DFAS headquarters.\n\n\n\n                                                       9\n\x0c    structure of the vendor payment office and business practices within DFAS for\n    making vendor payments. Although DFAS Kansas City identified system access\n    issues as a material management control weakness in its FY 2000 Annual\n    Statement of Assurance, it had not taken sufficient actions to correct the\n    problems and identified the full scope of system weaknesses that could result in\n    unauthorized CAPS(W) access and the manipulation of certified payment data.\n\nRecommendations, Management Comments, and Audit\n  Response\n    A. We recommend that the Director, Commercial Pay Services, establish\n    compensating controls at the Defense Finance and Accounting Service\n    Kansas City that will:\n\n           1. Restrict the access granted under the \xe2\x80\x9cFinancial Systems\n    Directorate Support\xe2\x80\x9d and \xe2\x80\x9cSystem Admin\xe2\x80\x9d profiles to system related\n    functions for specific periods of time.\n\n    DFAS Comments. The Director, Commercial Pay Services, concurred and\n    stated that DFAS would review system access profiles to ensure that they\n    provide adequate separation of duties.\n\n           2. Ensure a Defense Information Security Agency Form 41, \xe2\x80\x9cSystem\n    Authorization Access Request,\xe2\x80\x9d is properly completed and on file before\n    granting access to the Computerized Accounts Payable System for\n    Windows.\n\n    DFAS Comments. The Director, Commercial Pay Services, concurred and\n    stated that a properly completed DISA Form 41 on file before granting access to\n    CAPS(W).\n\n            3. Limit access to update vendor maintenance tables and eliminate\n    other types of update access granted to individuals with vendor maintenance\n    access.\n\n    DFAS Comments. The Director, Commercial Pay Services, concurred and\n    stated that DFAS will review system access profiles to ensure that they provide\n    adequate separation of duties.\n\n          4. Limit the ability to delete data from the Computerized Accounts\n    Payable System for Windows and establish audit trails for data removed\n    from the system.\n\n    DFAS Comments. The Director, Commercial Pay Services, concurred and\n    stated that DFAS will review system access profiles to ensure that they provide\n    adequate separation of duties.\n\n          5. Limit the use of the miscellaneous payments function to\n    nonrecurring payments.\n\n\n\n                                       10\n\x0cDFAS Comments. The Director, Commercial Pay Services, concurred and\nstated that DFAS will review system access profiles to ensure that they provide\nadequate separation of duties.\n\n      6. Remove remote access to update and certify information in the\nComputerized Accounts Payable System for Windows until the system can\nprovide proper segregation of duties and security over remotely entered\ndata.\n\nDFAS Comments. The Director, Commercial Pay Services, nonconcurred and\nstated that a separate CAPS(W) database was used to manage Marine Corps\nutility payments. The Director also stated that DFAS will work with the Marine\nCorps to ensure that certification officials only certify payments belonging to the\ncertifying official\xe2\x80\x99s organization.\nAudit Response. The DFAS comments were partially responsive. While the\nability to update and certify information was somewhat restricted by using a\nseparate database, individuals working in organizations at the 13 sites had access\nto the database and could alter payment information that did not belong to their\norganization. Until CAPS(W) can provide security over remotely entered data,\nremote access should be removed. We request that DFAS reconsider its\nposition on the recommendation and provide comments on the final report.\n\n\n\n\n                                    11\n\x0c          B. Documentation Supporting Vendor\n             Payments\n          DFAS Kansas City made 17,983 payments from May 1 through July 31,\n          2000, and approximately 16,605 of these payments lacked at least one\n          element of support prescribed in 5 Code of Federal Regulations (C.F.R.)\n          Part 1315. Both contract and miscellaneous payments lacked the\n          required documentation. The fact that a payment was not supported did\n          not mean that the payment was invalid or fraudulent, but indicated\n          management\xe2\x80\x99s failure to enforce the requirements necessary for proper\n          support. Payments were made without the proper support because:\n\n              \xe2\x80\xa2   DoD Regulation 7000.14-R, volume 10, allowed exceptions to\n                  requirements for a proper invoice and did not specify what a\n                  receiving report must contain to properly support a payment;\n\n              \xe2\x80\xa2   DoD guidance in the Federal Acquisition Regulation (FAR) and\n                  the DoD Regulation 7000.14-R, volume 10, is inconsistent with\n                  and has not been revised to comply with 5 C.F.R. Part 1315;\n\n              \xe2\x80\xa2   standardized rules for making properly supported miscellaneous\n                  payments did not exist; and\n\n              \xe2\x80\xa2   DFAS Kansas City technicians and certification officials either\n                  did not detect missing and incomplete items on supporting\n                  documents or considered the items unnecessary for making the\n                  payments.\n\n          As a result, DFAS and Marine Corps managers incurred an increased\n          risk that payments were not being made in compliance with the Prompt\n          Payment Act (PPA) and that improper payments may have been made.\n\nReview of Vendor Payments\n    Criteria. The principal guidance used for making payment to vendors was the\n    PPA, as implemented by the Office of Management and Budget (OMB) in\n    5 C.F.R. Part 1315, \xe2\x80\x9cPrompt Payment; Final Rule,\xe2\x80\x9d September 29, 1999. The\n    OMB guidance has strict requirements that supporting documents must meet in\n    order to be considered proper. The PPA and supporting documentation\n    requirements are further described in FAR subpart 32.9, \xe2\x80\x9cPrompt Payment;\xe2\x80\x9d\n    Defense Federal Acquisition Regulation Supplement (DFARS) subpart 232.9,\n    \xe2\x80\x9cPrompt Payment;\xe2\x80\x9d and DoD Regulation 7000.14-R, volume 10, \xe2\x80\x9cContract\n    Payment Policy and Procedures,\xe2\x80\x9d November 1999. The FAR subpart 32.9,\n    DFARS subpart 232.9, and DoD Regulation 7000.14-R, volume 10, are in the\n    process of being updated. DFAS Kansas City made payments based on contract\n    documents that needed to comply with the prompt payment criteria and\n    miscellaneous payments that had limited business rules on how each payment\n    should be supported. DoD Regulation 7000.14-R, volume 10, also contains\n    some information on how to support many of the miscellaneous payments made\n\n\n                                      12\n\x0c    by DoD. DFAS Kansas City further defined the requirements for supporting\n    documents within a locally developed standard operating procedure. DFAS\n    Kansas City revised its Vendor Pay Standard Operating Procedures in\n    October 2000. Guidance on supporting documentation is discussed in\n    Appendix D.\n\n    Sample Selection. To determine whether the documents that were used to\n    support CAPS(W) payments complied with 5 C.F.R. Part 1315 requirements,\n    we obtained a population of 17,983 payments, valued at $290.6 million, made\n    using CAPS(W) from May 1 through July 31, 2000. From this population, we\n    selected a sample of 208 payments in 3 strata. We used the criteria in the\n    5 C.F.R. Part 1315 to assess the documents (invoice, receiving report, and\n    obligation document) that supported each sample item. The sample also\n    determined whether the data on the supporting documents were entered correctly\n    in CAPS(W). Details concerning sample selection are contained in Appendix C.\n\nSample Results\n    Approximately 16,605 of the 17,983 payments made from May 1 through\n    July 31, 2000, were not supported in compliance with 5 C.F.R. Part 1315\n    requirements. Of the 208 sample items reviewed, 101 items were contractual\n    payments and 107 items were miscellaneous payments. Table 2 shows the\n    projections of the estimated number of payments that were not properly\n    supported for each type of payment. Appendix C gives details of projections\n    and confidence levels.\n\n             Table 2. Estimated Payments Not Properly Supported\n                             by Type of Payment\n      Type of Payment      Total Payments         Estimate of Improperly\n                                                   Supported Payments\n        Contractual             8,175                      7,511\n       Miscellaneous            9,808                      9,094\n           Total               17,983                     16,605\n\n\n    Documents supporting contract payments must meet the 5 C.F.R. Part 1315\n    requirements to be considered proper. We held supporting documentation for\n    miscellaneous payments to very similar standards. Although a case can be made\n    for not holding miscellaneous payments to these strict standards, standard\n    business rules outlining the requirements for supporting documentation for\n    miscellaneous payment was limited. A determination that a payment was not\n    properly supported did not mean that the payment was invalid or fraudulent.\n    Instead, it showed that DFAS Kansas City had not strictly enforced the 5 C.F.R.\n    Part 1315 requirements for supporting documents, creating an environment\n    where improper and fraudulent payments could be made without detection. Our\n    sample also showed that 37 payments were considered improper because the\n    vendor was paid the incorrect amount or the payment should not have been\n\n\n\n                                        13\n\x0c    made based on the supporting documentation provided. When projected across\n    the population, this would result in between 2,045 and 4,680 improper\n    payments.\n\nContractual Payments\n    Determination of Proper Payments. The results of the sample showed that\n    DFAS Kansas City made about 7,511 contract payments from May 1 through\n    July 31, 2000, without the proper support. The payments were made because\n    DFAS Kansas City technicians and certification officials either did not detect\n    missing items required on supporting documents or considered the items\n    unnecessary for making the payments. Documents that lacked elements of\n    support prescribed in regulations implementing the PPA were to be returned to\n    the originator and no payment made until a corrected copy of the document was\n    obtained. If the document did not meet these requirements, we considered it\n    improper. Table 3 shows the estimated number of unsupported payments\n    caused by each type of supporting document. Because more than one document\n    could have caused a payment to be unsupported, the total number of improperly\n    supported payments in Table 3 exceeds 7,511 payments. Appendix C provides\n    details of the sample.\n\n               Table 3. Estimated Number of Payments Not Properly\n                         Supported by Type of Document\n\n         Improper Document                       Number of Payments\n\n                Invoice                                  2,916\n\n           Receiving Report                              7,315\n\n               Contract                             Not Reportable\n\n\n            Invoices. The review of sample payments showed that 31 of\n    101 invoices did not properly support the payments. Invoices were improper if\n    they did not contain a contract or obligating document number, did not\n    adequately describe what was purchased or the description was inconsistent with\n    the contract, or were altered. When our results were projected over the\n    population, about 2,916 invoices submitted were not proper for payment and\n    should have been returned. Appendix C gives details of the sample projections.\n    DFAS Kansas City technicians accepted the invoices even though they were\n    missing information or the information on them was incomplete. DoD\n    Regulation 7000.14-R, volume 10, allowed exceptions to requirements for a\n    valid invoice. The regulation states that it is not necessary for an invoice to be\n    free of defects in order for it to be proper and create a valid demand on the\n    Government; the approving activity determines whether a valid demand exists.\n    These exceptions were contrary to 5 C.F.R. Part 1315 and FAR requirements\n\n\n\n\n                                        14\n\x0c(Appendix D). We also identified problems with the computation of invoice\nreceipt dates when the designated billing office was other than the payment\noffice.\n\n       Contract Numbers. DFAS Kansas City made payments based on\ninvoices that did not have contract numbers identified on the original invoices\nsubmitted by the vendors. DFAS Kansas City either created the contract number\nfrom other sources or accepted an invoice that had the contract number corrected\nby someone other than the vendor. The sample showed that this condition\noccurred for 20 contract payments. For example, a contractor submitted invoice\nnumber 478115, to Marine Corps Air Station, Cherry Point, North Carolina, for\nservices rendered during FY 2000. The invoice cited an incomplete contract\nnumber. Instead of returning the invoice to the vendor to ensure the payment\nwas made to the correct contract, personnel at the installation contracting office\nplaced the contract number on the invoice. In another situation, a vendor\nsubmitted invoice number E87833 to Marine Corps Detachment, Aberdeen\nProving Ground, Maryland, without a contract number on the invoice. The\nMarine Corps Detachment forwarded the invoice to DFAS Kansas City along\nwith the receiving report. On the receiving report, Aberdeen Proving Ground\npersonnel cited the correct contract number. Instead of returning the invoice to\nthe vendor for correction, DFAS Kansas City used the contract number on the\nreceiving report to overcome the omission on the invoice.\n\n                Descriptions Consistent with the Contract. Invoices submitted\nfor payment should describe the goods received or services performed and be\nconsistent with the line items contained in the contract. In 16 of the payments\nreviewed, the items billed were not consistent with the items contained in the\ncontract or did not contain an adequate description of what was invoiced. For\nexample, a contractor submitted invoice number 99-07Y-000514 to Marine Corps\nLogistics Base, Barstow, California. The invoice stated that it was for work\ndone on an oil separator in Building 375. The contract delivery order identified\nnine different line items for several types of labor, material, and equipment, but\ndid not indicate anything about an oil separator or Building 375. DFAS Kansas\nCity technicians assumed that the vendor provided the services contracted for\nbecause the total amount from the invoice matched the total amount on the\ndelivery order. The technicians should have returned the invoice to the vendor\nand requested that a corrected invoice be provided specifying the line items\ncontained in the contract delivery order. In another case, a vendor submitted\ninvoice number CP0500 to Marine Corps Air Station, Cherry Point, North\nCarolina, for reimbursement of dumping fees and part of the fixed-price work on\nthe contract. The contract broke out the fixed-price work into three specific line\nitems. Two of the line items were for monthly services and one was for weekly\nservices. The invoice did not state a period of time that it covered. The\nreceiving report with this payment treated it as a progress payment with a\npercentage of work completed rather than a service contract. The description on\nthe invoice should have been consistent with the line items in the contract and\nprovided the period of performance.\n\n               Invoice Alteration. DFAS Kansas City\xe2\x80\x99s standard operating\nprocedures allowed for the alteration of invoice data provided the data was lined\nout so the original information could be read and initialed by the person making\nthe correction. According to 5 C.F.R. Part 1315, an invoice that is missing\n\n\n                                    15\n\x0crequired data should be returned to the vendor, which can make the needed\ncorrections and resubmit a clearly marked corrected invoice. Nine invoices\nreviewed in our sample were altered to make the information needed for payment\nproper. None of the altered invoices were identified as corrected invoices.\nWhen we questioned technicians as to who made the corrections, technicians\ncould not identify the person making the changes. When we contacted\nindividuals in the designated billing offices at Marine Corps installations, they\nstated that they usually corrected the invoices. Because improper invoices were\nnot returned to the vendors for correction, future invoices on the contract could\ncontain identical errors. DFAS should not accept for payment any invoice that\nwas altered by anyone other than the originator of the invoice.\n\n              Invoices Sent to Other Than the Payment Office. When\ninvoices were sent to other than the payment office, the invoice receipt dates\nwere often not used properly to compute the payment due date and the payment\nprocess was delayed.\n\n                        Invoice Receipt Dates. DFAS Kansas City did not use the\ncorrect invoice receipt dates when the date stamp did not clearly identify the\ndesignated billing office. In the sample, 51 of 101 invoices reviewed did not\nhave invoice receipt dates affixed to the invoices that clearly identified that the\ndesignated billing office had affixed the date to the invoice. To properly\ncompute payment due dates, the technician must enter into CAPS(W) the date the\ninvoice was received in the designated billing office. The payment office can\nonly use the designated billing office\xe2\x80\x99s date stamp when determining the invoice\nreceipt. If it can not be clearly determined that the date stamp was affixed to the\ninvoice by the designated billing office, the payment office is required by\n5 C.F.R. Part 1315 to use the date placed on the invoice by the vendor. Invoices\nthat were sent directly to DFAS Kansas City were usually properly date-stamped.\nHowever, when an invoice was sent to an activity other than DFAS Kansas City,\nit was often difficult to determine whether the date stamp was affixed to the\ninvoice by the billing office designated in the contract or by another installation\nactivity. The date stamp was often just a date affixed to the invoice without any\ndesignation as to which office the stamp belonged. In these instances, DFAS\nKansas City should have used the date of invoice in determining payment dates.\n                        Invoices Sent to Installations. Many invoices submitted\nfor payment were improperly sent to a Marine Corps activity rather than directly\nto the DFAS Kansas City payment office. Contracting officers should require\nthat vendors send invoices to a base-level activity only when a requirement exists\nfor that activity to certify what was being billed (such as construction payments).\nIn all other cases, the contracting officer should require that the invoices be sent\ndirectly to DFAS Kansas City. Sending invoices to installations created an\nunnecessary requirement that slowed the payment process, increased lost\ndiscounts, and increased the probability that interest would be due the vendor.\n\n               Improvements Required to Invoice Processing. To improve\ninternal controls over the processing of invoices, DFAS must establish business\nrules that require invoices to comply with 5 C.F.R. Part 1315 requirements.\nInvoices that do not meet all requirements of a proper invoice should be returned\nwithin 7 days to the vendor with a request that a corrected invoice be submitted.\nMarine Corps contracting officers should ensure that contracts clearly identify\n\n\n                                     16\n\x0cthat each invoice must include a contract number, invoice number and date, and\na clear description of the goods or services provided by the vendor. They should\nalso reduce the number of invoices being sent to designated billing offices other\nthan DFAS Kansas City. However, when invoices are sent to designated billing\noffices outside the payment office, Marine Corps personnel should be directed to\nreturn them to the vendor for correction instead of altering the invoices to make\nthem correct. In addition, invoices should be immediately date-stamped with a\nstamp that clearly identifies the designated billing office or that identifies the\ndesignated billing office through some other means.\n\n        Receiving Reports. The review of sample payments showed that\n86 receiving reports did not properly support the payments. When projected to\nthe entire population, about 7,315 receiving reports did not meet the 5 C.F.R.\nPart 1315 requirements for a proper receiving report and should have been\nreturned. Appendix C contains details on sample projections. A payment was\nassessed as not properly supported if the receiving report did not identify receipt\nand acceptance dates; provide a description of the goods received or services\nperformed; and provide a proper signature, printed name, address, and telephone\nnumber of the receiving or accepting official. Most receiving reports in the\nsample were missing the dates of receipt and acceptance and required signature\ninformation. Payments were often supported by a NAVCOMPT Form 2277,\n\xe2\x80\x9cVoucher for Disbursement and/or Collection,\xe2\x80\x9d certified invoices, or locally\ndeveloped forms which did not meet 5 C.F.R. Part 1315 requirements for proper\nreceiving reports. DFAS Kansas City and the Marine Corps did not establish or\nenforce clear requirements on the elements required for documenting proper\nreceipt and acceptance of goods and services. In addition, DoD\nRegulation 7000.14-R, volume 10, did not specify what a receiving report must\ncontain to properly support a payment. The items required for a proper\nreceiving report are contained in Appendix D.\n\n                Receipt and Acceptance. DFAS Kansas City made payments to\nvendors without documentation showing the actual date of receipt and acceptance\nof the goods and services. Receipt and acceptance of goods and services are two\nseparate acts accomplished at the installation level to ensure that items and\nservices contracted for are received and properly accepted. The sample showed\nthat 31 of 101 payments were made without receipt and acceptance dates.\nPayments were often supported by NAVCOMPT Form 2277. This form showed\nthe date an official signed the form but often did not specify when goods or\nservices were received and accepted. Technicians would improperly use the date\nthe form was prepared or signed by installation personnel as the receipt and\nacceptance dates. When the invoices were sent to Marine Corps activities before\nbeing submitted to the payment office as certified invoices, the dates of receipt\nand acceptance were recorded on the invoice using an ink stamp. However, the\ndates of receipt and acceptance were sometimes not recorded.\n\n               Validity of Receipt and Acceptance Dates. The receipt and\nacceptance dates recorded on the forms often did not reflect the actual dates of\nreceipt and acceptance. We contacted receiving activities and analyzed invoice\nand contract data for most sample items and found that 22 of 101 payments were\nbased on dates on receiving reports that did not reflect the actual date of\nacceptance. The dates on the receiving reports usually represented the date on\nwhich the receiver completed the document, not the actual date that the receiver\n\n\n                                    17\n\x0caccepted the goods or services. For example, invoice number 2000-CHR5053\nwas received at DFAS Kansas City as a certified invoice on June 15, 2000. The\ninvoice and the contract stated that the services were incurred on February 16,\n2000. The invoice date was March 14, 2000. However, the receiver recorded\nJune 13, 2000, as the invoice receipt date, the acceptance date, the date the\ninvoice was certified, and the date the invoice was sent to disbursing. The\nreceiver told us that June 13, 2000, was the date that he had signed the invoice\nand the actual services had occurred earlier. The use of dates that do not reflect\nthe actual dates of receipt and acceptance results in the computation of incorrect\npayment due dates.\n\n                Description of Goods and Services Received. The review of\nsample payments showed that 42 of 101 receiving reports reviewed either did not\nproperly describe the goods and services received or identified goods or services\nthat were inconsistent with the items contained in the contract. For example, a\nreceiving report was sent in by Aberdeen Proving Ground that listed a receipt for\n\xe2\x80\x9cone pager service\xe2\x80\x9d for $78.23. However, the invoice and the contract were for\n\xe2\x80\x9cservice for four pagers\xe2\x80\x9d for a total of $78.23. In another instance, the supply\ndirectorate at Marine Corps Air Station, Cherry Point, sent in a receiving report\non a locally developed form. The form had two separate areas where a brief\ndescription of the goods or services should have been listed. However, no\ninformation was entered in either area. Since Marine Corps Air Station, Cherry\nPoint, listed the invoice number on the form and sent it in with the invoice,\nDFAS Kansas City assumed that the goods listed on the invoice were actually\nreceived. Each receiving report is required to stand on its own and should\ndescribe what the activity actually received.\n\n               Required Signature Information. The review of sample\npayments showed that 68 of 101 receiving reports did not contain all the required\nsignature information. Technicians often overlooked the requirement that\nreceiving reports contain a signature, printed name, mailing address, and\ntelephone number of the receiving or accepting official on each receiving report,\nand made payments without them. Incomplete information regarding the address\nor telephone number make it difficult for payment and contracting officials to\nsubsequently verify acceptance in event of a dispute or other issue concerning the\nconditions of the goods received or services performed. By not enforcing the\nrequirement for required signature information, DFAS Kansas City created an\nenvironment that could result in improper and fraudulent payments that could go\nundetected.\n\n                Adequacy of Forms. Most of the forms used to indicate receipt\nand acceptance of goods and services were not designed as receiving reports.\nConsequently, the forms did not contain space for the receiver to enter a name,\naddress, title, and telephone number when receiving and accepting goods and\nservices. NAVCOMPT Form 2277, locally developed forms, and certified\ninvoices were primarily used as receiving reports. These documents did not\ncontain all the information required by 5 C.F.R. Part 1315 for proper receiving\nreports. NAVCOMPT Form 2277 was designed as a payment voucher and\nshould not have been used as a receiving report. Certified invoices should only\nbe used in limited circumstances. DD Form 250, \xe2\x80\x9cMaterial Inspection and\nReceiving Report,\xe2\x80\x9d should be the primary means for documenting receipt and\nacceptance. The form, as revised in August 2000, met all 5 C.F.R. Part 1315\n\n\n                                    18\n\x0c    requirements for a proper receiving report when completed correctly. Other\n    standard forms, such as DD Form 1155, \xe2\x80\x9cOrder for Supplies or Services,\xe2\x80\x9d may\n    also be used for making final payments, provided they contain all of the required\n    data elements.\n\n                   Improvements Related to Receiving Reports. DFAS should\n    establish and enforce clear requirements on the elements required for\n    documenting proper receipt and acceptance of goods and services. Mandating\n    the use of DD Form 250 as the primary means for documenting receipt and\n    acceptance would significantly improve compliance with 5 C.F.R. Part 1315\n    requirements. Guidance should be sent to Marine Corps activities emphasizing\n    the requirements for proper receiving reports. The guidance should also\n    emphasize that any receiving report that does not meet the requirements of a\n    proper receiving report will be returned to the installation. Marine Corps\n    managers must ensure that personnel at receiving activities are trained on the\n    importance of recording proper dates to prevent the circumvention of the PPA.\n\n            Contracts. The review of 6 sample items showed that the payment was\n    not supported by a contract document. The obligation documents used to make\n    payments needed to contain sufficient information for the paying office to\n    properly match invoice and receipt information and make the payment to the\n    correct vendor. The six payments were considered improper since the\n    contracting document could not be provided to us for review by the payment\n    office and were not contained in the Electronic Data Access system. Other\n    contracts were missing key elements such as payment terms, a valid Data\n    Universal Numbering System (DUNS) number, or a valid Contractor Activity\n    Government Entity (CAGE) code. For example, contracts for 48 of the sample\n    items did not provide a valid DUNS number or CAGE code that could be used to\n    ensure that the proper information was extracted from the Central Contractor\n    Registry. DFAS had implemented a process for extracting the required\n    information from the Central Contractor Registry into a Corporate EFT database.\n    Since EFT is the primary means of payment, contracting offices need to make\n    sure that all contracts provide a valid DUNS number or CAGE code. The Debt\n    Collection Improvement Act of 1996 requires that payments be made\n    electronically unless EFT requirements were waived under 31 C.F.R.\n    Part 208.4.\n\nSupport for Miscellaneous Payments\n    DoD Regulation 7000.14-R, volume 10, does not identify standard business rules\n    for making properly supported miscellaneous payments and DFAS Kansas City\n    had not identified the information necessary to properly support each of the\n    approximately 30 types of miscellaneous payments. At a minimum, the payment\n    office should ensure that a proper funding document exists that supports the\n    vendor\xe2\x80\x99s claim against the Government and an employee at the installation\n    acknowledges that the item or service being paid for was received and accepted.\n    Although DFAS Kansas City tried to control miscellaneous payments, procedures\n    were not consistently followed and did not ensure that only proper payments\n    were made.\n\n\n\n                                        19\n\x0cRequirements for Proper Support. When miscellaneous payments were held to\n5 C.F.R. Part 1315 requirements, the invoices, receiving reports, and obligating\ndocuments supporting the payments were frequently not proper. The sample\nshowed that about 9,094 payments were made from May 1 through July 31,\n2000, without sufficient support (see Appendix C). Improperly supported\npayments primarily occurred because receiving reports did not contain enough\ninformation to ensure that the obligating documents were proper or the goods or\nservices were actually received and accepted by an authorized Government\nofficial. We recommended in Inspector General, DoD, Report No. D-2000-139,\n\xe2\x80\x9cControls Over the Integrated Accounts Payable System,\xe2\x80\x9d June 5, 2000, that the\nUnder Secretary of Defense (Comptroller) amend DoD Regulation 7000.14-R,\nvolume 10, to standardize the rules for making properly supported miscellaneous\npayments. The business rules also need to identify how to develop pseudo\ncontract and invoice numbers; define what dates should be used for receipt of an\ninvoice and receipt and acceptance of the goods or services; and reemphasize that\nreceiving reports must identify the name, address, and phone number of the\nofficial accepting or authorizing the miscellaneous payments. The guidance for\nmaking vendor payments in DoD Regulation 7000.14-R, volume 10, had not\nbeen changed as of October 3, 2001. The Director, Commercial Pay Services,\nshould develop procedures for making properly supported miscellaneous\npayments that can be used by payment offices until DoD Regulation 7000.14-R,\nvolume 10, is changed.\n\n        Pseudo Numbers for Miscellaneous Payments. The process for\nestablishing pseudo numbers for miscellaneous payments missing an obligating\ndocument or invoice number was inconsistent and increased the risk that\nduplicate payments could be made. Invoices related to miscellaneous payments\nusually did not contain an obligating document number or an invoice number.\nDFAS Kansas City made about 30 different types of miscellaneous payments.\nConsequently, technicians assigned to the accounts payable teams had to create\npseudo contract and invoice numbers for entry in CAPS(W).\n\n       \xe2\x80\xa2   For recurring monthly payments, such as purchase card and utility\n           payments, pseudo contract numbers should have been developed that\n           would have provided a history of the payments made for goods and\n           services acquired during each fiscal year. Instead, DFAS Kansas City\n           created a different pseudo contract number for each monthly purchase\n           card and utility payment. Having different pseudo contract numbers\n           for each monthly payment created some problems because DFAS\n           Kansas City paid current charges on invoices with credit balances and\n           past due amounts were not routinely reconciled to ensure that all\n           payments had been properly recorded and overpayments did not\n           occur. If pseudo contract numbers were standardized by fiscal year,\n           technicians would have been able to easily determine whether past due\n           amounts were valid, payments were posted to the correct account, and\n           overpayments were made.\n\n       \xe2\x80\xa2   Our sample contained five payments for childcare services.\n           Technicians used three different methods for creating the pseudo\n           invoice numbers entered in CAPS(W). A standard method of\n           establishing the pseudo contract and invoice numbers should be part of\n           the business rules for determining whether miscellaneous payments\n\n\n                                   20\n\x0c               are properly supported. Once established, accounts payable\n               technicians at DFAS Kansas City should follow the methodology.\n\n    Although DFAS Kansas City had established some guidance as to how to\n    establish pseudo numbers, standard business rules had not been established for\n    creating these numbers. The establishment of a separate team to work only\n    miscellaneous payments would help to ensure that these payments were treated in\n    a more uniform manner.\n\n            Proper Receipt and Acceptance. Most miscellaneous payments did not\n    provide enough supporting information to ensure that the goods or services were\n    actually received and accepted by an authorized Government official. The\n    review of sample payments showed that the receiving reports supporting\n    89 miscellaneous payments did not contain the name, address, and telephone\n    number of the Government official authorizing the miscellaneous payments.\n    Payments should not be made unless the goods or services were clearly identified\n    and the official\xe2\x80\x99s name, address, and telephone number are on the supporting\n    documentation or on a signature card on file in the payment office.\n\nImproper Payments\n    Our sample showed that 37 of 208 payments were considered improper because\n    the vendor was paid the incorrect amount or the payment should not have been\n    made based on the supporting documentation provided. When projected across\n    the population, this would result in between 2,045 and 4,680 improper payments.\n    We considered payments to be improper when either the amount paid to the\n    contractor was incorrect, the proper supporting documentation was not found, or\n    the payment was not paid via EFT as required by the contract. For example,\n    DFAS Kansas City overpaid 13 invoices and underpaid 5 invoices. The\n    underpayments often occurred because DFAS Kansas City miscalculated the\n    payment dates and computed interest incorrectly. The payments were not\n    actually made until 1 or more days after the computed pay dates. Eight other\n    payments were made to contractors by check even though the contractor was\n    properly registered in the Central Contractor Registry. In these cases, the law\n    required the payment be made via EFT. In another case, DFAS Kansas City\n    improperly used a DD Form 1556, \xe2\x80\x9cRequest, Authorization, Agreement,\n    Certification of Training and Reimbursement,\xe2\x80\x9d to support a payment of $147,600\n    to a vendor for training. DoD Regulation 7000.14-R, volume 10, states that DD\n    Form 1556 should only be used to make payments up to $25,000.\n\nSummary\n    DFAS Kansas City and Marine Corps managers need to address proper support\n    for payments they make to vendors and individuals. 5 C.F.R. Part 1315 contains\n    strict requirements for what constitutes properly supported payments made under\n    the PPA. For prompt payment, invoices received from vendors should meet all\n    requirements of a proper invoice. Invoices that fail to meet the standards need to\n    be immediately returned to the vendor for correction. Marine Corps activities\n    should perform receipt and acceptance actions immediately upon delivery of any\n\n\n                                        21\n\x0c    product or service and submit completed paperwork to the payment office.\n    Documents used for receipt should contain all required information or be\n    returned for correction. Only the originating activity should alter documents\n    supporting payments, and the documents should clearly state that the correction\n    was made by that activity. Other activities should not be authorized to make\n    corrections to payment documents. Contracting office personnel should write\n    contracts that clearly provide all data needed for payment. Contracts should\n    detail the items or services being purchased so invoices and receiving reports can\n    be validated. Miscellaneous payments require assurance that the items were\n    approved for purchase and received by an authorized Government official. The\n    Under Secretary of Defense (Comptroller) still needs to amend DoD\n    Regulation 7000.14-R, volume 10, to discontinue allowing exceptions to\n    requirements for a proper invoice, specify what a receiving report must contain\n    to properly support a payment, and standardize the rules for making properly\n    supported miscellaneous payments. The Director, Commercial Pay Services,\n    should issue interim guidance until DoD Regulation 7000.14-R, volume 10, is\n    changed. Marine Corps managers must ensure that personnel at receiving\n    activities are trained on the importance of recording proper dates to prevent the\n    circumvention of the PPA.\n\nRecommendations, Management Comments, and Audit\n  Response\n    B.1. We recommend that the Under Secretary of Defense for Acquisition,\n    Technology, and Logistics, in coordination with the Director, Defense\n    Finance and Accounting Service, and the Military Services, require the use\n    of the DD Form 250, \xe2\x80\x9cMaterial Inspection and Receiving Report,\xe2\x80\x9d as the\n    primary means for documenting receipt and acceptance of goods and\n    services.\n\n    Under Secretary of Defense for Acquisition, Technology, and Logistics\n    Comments. The Director, Defense Procurement, concurred and stated that she\n    will request that the Defense Acquisition Regulations Council revise DFARS\n    subpart 232.9 to specify the use of the DD Form 250 as the primary means for\n    documenting receipt and acceptance of goods and services.\n\n    DFAS Comments. The Director, Commercial Pay Services, partially concurred\n    with the recommendation and stated that her office will require the use of DD\n    Form 250 if policy is issued by the Under Secretary of Defense for Acquisition,\n    Technology, and Logistics and the Under Secretary of Defense (Comptroller).\n\n    Audit Response. The Director, Defense Procurement, comments were\n    responsive. The Director, Defense Procurement, did not include an estimated\n    completion date for corrective action. We request that the Director, Defense\n    Procurement, provide us with an estimate completion date in response to the final\n    report. The DFAS comments were responsive.\n\n    B.2. We recommend that the Director, Commercial Pay Services, issue\n    interim guidance until DoD Regulation 7000.14-R, volume 10, is changed.\n    The guidance should discontinue exceptions to the requirements for a proper\n\n\n                                        22\n\x0cinvoice, specify what a receiving report must contain to properly support a\npayment, and standardize the rules for making properly supported\nmiscellaneous payments.\n\nDFAS Comments. The Director, Commercial Pay Services, partially concurred\nand stated that DFAS will ensure that vendor payment personnel are aware of\nwhat constitutes a proper invoice and receiving report and the required support\nfor miscellaneous payments. The Director also stated that DFAS will continue to\nuse judgement on returning invoices and receiving reports with minor flaws that\ndo not distract from the validity of the contract, receiving report, and invoice\nbeing in agreement.\n\nAudit Response. The DFAS comments were partially responsive. OMB\nguidance contained in 5 C.F.R. Part 1315 clearly defines what constitutes a\nproper contract, invoice, and receiving report. DFAS payment offices must\ncomply with these requirements and return supporting documents that do not\nmeet requirements to the originator for correction. Further, the DFAS comments\ndid not sufficiently address the need to develop standard rules for making\nmiscellaneous payments. We request that DFAS reconsider its position on the\nrecommendation and provide comments to the final report.\n\nB.3. We recommend that the Director, Commercial Pay Services, in\nconjunction with the Marine Corps:\n\n       a. Develop stringent procedures for accepting invoice receipt dates\naffixed outside the payment office. Procedures should ensure that the\npayment office can determine that the designated payment office\ndate-stamped the invoice.\n\nDFAS Comments. The Director, Commercial Pay Services, concurred and\nstated that DFAS will coordinate with the Marine Corps to establish a procedure\nfor date-stamping invoices and how DFAS will handle invoices received from the\nMarine Corps without a date stamp.\n\nMarine Corps Comments. The Marine Corps did not provide comments to the\ndraft of this report. Therefore, we request that the Marine Corps provide\ncomments on the final report.\n\n       b. Return all invoices to vendors that do not meet payment\nrequirements.\n\nDFAS Comments. The Director, Commercial Pay Services, concurred and\nstated that DFAS Kansas City had developed a procedure to return all improper\ninvoices. In addition, the Marine Corps Liaison Office was provided with\nguidance on the requirements for a proper invoice. Any invoice not meeting the\nrequirements of 5 C.F.R. Part 1315.9(b) will be returned.\n\nMarine Corps Comments. The Marine Corps did not provide comments on the\ndraft of this report. Therefore, we request that the Marine Corps provide\ncomments on the final report.\n\n\n\n\n                                   23\n\x0c       c. Develop and issue guidance to Marine Corps activities identifying\nthe standards for proper receipt and acceptance of Government goods and\nservices.\n\nDFAS Comments. The Director, Commercial Pay Services, partially concurred\nwith the recommendation and stated that DFAS provided the Marine Corps\nLiaison Office with information on what constitutes a proper receiving report.\nHowever, the Director stated that DFAS does not issue guidance to Marine\nCorps activities.\n\nAudit Response. The DFAS comments were partially responsive. The\nDirector, Commercial Pay Services, is responsible for ensuring that DFAS\nKansas City ensures proper receipt and acceptance of goods and services before\nmaking payments. Therefore, DFAS must work with Marine Corps managers to\nensure that proper guidance is issued to receiving activities on the standards for\nproper receipt and acceptance. We request that DFAS reconsider its position and\nprovide comments on the final report.\n\nMarine Corps Comments. The Marine Corps did not provide comments on the\ndraft of this report. Therefore, we request that the Marine Corps provide\ncomments on the final report.\n\n       d. Provide training to personnel at receiving activities on the\nimportance of providing payment offices properly completed receiving\nreports within 5 days of acceptance of goods and services.\n\nDFAS Comments. The Director, Commercial Pay Services, partially concurred\nwith the recommendation and stated that DFAS does not provide training to\nMarine Corps activities. However, the Director stated that DFAS will assist the\nMarine Corps in developing and presenting training on the importance of\ncompleting receiving reports accurately and providing them to DFAS within\n5 days of acceptance of goods or services.\n\nAudit Response. The DFAS comments were responsive. DFAS needs to work\nwith the Marine Corps to ensure that receiving activities provide DFAS with\nproper receiving reports in a timely manner.\n\nMarine Corps Comments. The Marine Corps did not provide comments on the\ndraft of this report. Therefore, we request that the Marine Corps provide\ncomments on the final report.\n\nB.4. We recommend that the Deputy Chief of Staff for Installations and\nLogistics, Marine Corps, ensure that all contracting documents provide the\ninformation necessary for making proper payments, including:\n\n      a. Specifications that invoices include a contract number, invoice\nnumber and date, and clear description, by contract line item, of what the\nvendor is invoicing for;\n\n       b. Directions to avoid sending invoices directly to installations unless\nthe invoices require certification; and\n\n\n\n                                    24\n\x0c      c. Accurate Data Universal Numbering System numbers and\nContractor Activity Government Entity codes.\n\nMarine Corps Comments. The Marine Corps did not provide comments on the\ndraft of this report. Therefore, we request that the Marine Corps provide\ncomments on the final report.\n\n\n\n\n                                25\n\x0c            C. Vendor Payment Office Structure and\n               Practices\n            The structure and business practices of the vendor payment office at\n            DFAS Kansas City did not provide efficient and effective controls over\n            vendor payments. Despite actions taken to segregate duties and improve\n            accountability over documents, problems continued to exist because:\n\n                \xe2\x80\xa2   positive control over payment documents had not been achieved,\n\n                \xe2\x80\xa2   supporting documents were not held to proper standards and\n                    returned to the originating activities when required,\n\n                \xe2\x80\xa2   certification officials did not adequately review all payments, and\n\n                \xe2\x80\xa2   responsive actions were not taken to correct previously identified\n                    problems and reviews of payment vouchers were not periodically\n                    performed.\n\n            As a result, DFAS Kansas City did not ensure that improperly supported\n            and erroneous payments would be detected and corrected before payment.\n\nPrior Review of Vendor Payment Operations\n     On April 23, 1999, DFAS Arlington reported on a review conducted on vendor\n     payment operations at DFAS Kansas City. DFAS Arlington recommended that\n     DFAS Kansas City eliminate the mailroom in the vendor payment office and\n     relocate mailroom functions to the centralized mailroom; track invoices; restrict\n     the ability to change \xe2\x80\x9cremit to\xe2\x80\x9d information and update contract data to contract\n     input technicians; and prohibit certification officials from making changes to\n     invoices, receiving reports, contracts, and payment vouchers.\n\n     In FY 2000, DFAS Kansas City reorganized some of its business practices for\n     making vendor payments. Technicians in the administrative assistance section\n     became solely responsible for entering contract and vendor maintenance data into\n     CAPS(W). DFAS Kansas City also limited the CAPS(W) access of lead voucher\n     examiners and supervisors who certified payments on each of the accounts\n     payable teams.\n\nOffice Structure and Business Practices\n     DFAS Kansas City failed to develop efficient and effective business practices\n     within its vendor payment office that ensured proper document control and\n     segregation of duties. Until DPPS and related initiatives aimed at processing\n\n\n\n\n                                         26\n\x0cpayment information in an automated environment can be effectively\nimplemented, DFAS Kansas City needs to establish a vendor payment office that:\n\n        \xe2\x80\xa2   receives and date stamps, immediately upon receipt, all incoming\n            documents in a secure centralized mailroom outside the vendor\n            payment office;\n\n        \xe2\x80\xa2   has a document management section that is the focal point for receipt,\n            validation, and control of all documentation supporting vendor\n            payments;\n\n        \xe2\x80\xa2   ensures that all payments are properly certified; and\n\n        \xe2\x80\xa2   works effectively with Marine Corps customers to obtain receiving\n            reports for goods and services promptly upon receipt and acceptance.\nPositive Control Over Incoming Documentation. Although DFAS Kansas City\nchanged its document control process, it did not effectively control documents\nsupporting vendor payments. DFAS Kansas City had only limited visibility and\ncontrol over the documents, even after the documents were entered into\nCAPS(W). Mailroom operations should be moved to the centralized mailroom,\nand a document management section should be established to effectively track,\ncontrol, and screen all documents supporting payments.\n\n        Mailroom Operations. The mailroom in the administrative assistance\nsection was unsecured and provided little positive control over incoming\ndocuments. Positive control over incoming documents is essential. DFAS\nKansas City had a secure centralized mailroom outside the vendor payment office\nthat could receive and date-stamp all incoming vendor payment documents. In\nApril 1999, DFAS Arlington recommended that DFAS Kansas City relocate the\nmailroom in the vendor payment area to the centralized mailroom along with\nfacsimile machines receiving vendor payment documents. This change would\nhave allowed all incoming documents to be received and date-stamped outside of\nthe vendor payment office. However, DFAS Kansas City did not make the\nrecommended changes and continued to maintain a mailroom within the\nadministrative assistance section that opened and date-stamped the mail. Mail\nfrom the U.S. Postal Service was received by the central mailroom, sorted, and\nsent unopened to the administrative assistance section. Packages from courier\nservices usually bypassed the central mailroom and were delivered directly to the\nadministrative assistance section. Facsimile machines that received vendor\npayment documents were located in the administrative assistance section. The\nmailroom in the administrative assistance section was not in a secured area and\ntechnicians were allowed to pick up facsimile documents without ensuring that\nthey were properly date-stamped. Since the date stamp on the invoice is a key\nelement in determining prompt payment requirements, DFAS Kansas City\nneeded to move the opening and date-stamping of all incoming vendor payment\ndocuments to the centralized mailroom.\n\n       Document Management. DFAS Kansas City did not effectively track,\ncontrol, and screen all documents supporting payments. Beginning in\nJanuary 2000, DFAS Kansas City required the administrative assistance section\nto open and log all incoming documents into a spreadsheet and then pass them on\n\n\n                                    27\n\x0cto the payment technicians. However, documents were not adequately controlled\nand the screening of documents to determine compliance with 5 C.F.R.\nPart 1315 requirements did not take place early enough in the payment process to\nreturn the documents and make corrections within the prompt payment\ntimeframe.\n\n                Tracking Documents. The method used by the administrative\nassistance section to track documents was slow and ineffective. The\nadministrative assistance section entered into a spreadsheet all documents\nreceived in the vendor payment office. It used the spreadsheet to track\ndocuments; however, the spreadsheet did not contain detailed information as to\nwhere documents could be found within the vendor payment office. Between\nOctober 31 and November 9, 2000, we observed that mail sat in crates in the\nadministrative assistance section for at least 5 days awaiting entry into the\nspreadsheet. Accounts payable technicians stated that they used the spreadsheet\nwhen a vendor called about the status of a payment. They reviewed the\nspreadsheet to determine whether the invoice had been received. However, they\nstated that they often did not search the office for missing documents. Instead,\nthey directed the vendor to fax in a new invoice. One technician told us that the\ndate stamp on the new facsimile document was used in computing the payment\ndue date rather than the invoice receipt date for the original invoice in the\ntracking spreadsheet. To test controls over the tracking of documents, we\nobtained 10 invoices from the mailroom on October 31, 2000, and traced them\nthrough the vendor payment process until November 9, 2000. In order to locate\neach of the invoices, technicians had to sort through stacks of documents in and\naround their desks. While we eventually located the invoices, 7 of the\n10 invoices had not yet been entered into CAPS(W). The spreadsheet should\nhave been used to locate documents within DFAS Kansas City and determine\ninvoice receipt dates for lost documents. A measurable standard for entering\ndocuments in CAPS(W) should also be established and monitored.\n\n               Controlling Documents. DFAS Kansas City did not effectively\ncontrol the payment folders containing invoices, receiving reports, and obligation\ndocuments. Incoming payment documents were loosely transferred between the\nadministrative assistance section and accounts payable teams, often more than a\nweek after arriving at DFAS Kansas City. Accounts payable technicians\nvalidated invoices and receiving reports against the contract and the other\nsupporting documentation, then placed the documents in payment folders. In\nNovember 2000, we observed stacks and boxes of payment folders, invoices, and\nreceiving reports on and around technicians\xe2\x80\x99 desks. Usually these piles were\nsorted according to whether the documents needed to be entered into CAPS(W),\nthe payment awaited prevalidation, or the payment needed to be computed. To\nlocate a payment folder, supervisors had to find the technician responsible for\nentering the data into CAPS(W) and then have that technician look through the\nstacks of documents in and around the desk or in nearby filing cabinets. To\neffectively control documents supporting vendor payments, DFAS Kansas City\nneeds to establish and maintain payment folders in a document management\nsection. Maintaining the folders in a document management section would\nprevent the flow of loose documentation within DFAS Kansas City. By\nreviewing operations at other vendor payment offices using CAPS(W), two\nmethods were identified that could be used within the document management\nsection for maintaining effective control over payment documents. The\n\n\n                                    28\n\x0cpreferable method was to have technicians enter data into CAPS(W). Once the\ndata were entered, the payment folder could then be signed out to a technician on\nan accounts payable team who would compute the payment after verifying the\ndata had been properly entered into CAPS(W). A less desirable, but acceptable,\nmeans for managing documents and payments was to create a database for\ntracking documents that had been signed out to accounts payable teams for\nprocessing. Once data were entered into CAPS(W), the technician would return\nthe folder to the document management section. Folders would be returned to\nthe technician only when additional documents required entry into CAPS(W) or\nthe payment needed to be computed. At DFAS Kansas City, the accounts\npayable teams entered invoices and receiving reports into CAPS(W), computed\npayments, and certified payments. Keeping the payment folders under the control\nof the document management section makes it easier to locate payment folders\nand other documents.\n                Screening Documents. The administrative assistance section did\nnot screen incoming documents for compliance with 5 C.F.R. Part 1315\nrequirements. An effective document management section should conduct a\ndetailed screening of invoices, receiving reports, and obligation documents.\nDeficiencies in payment documents should be identified and promptly returned to\noriginators so as to minimize unnecessary rework later in the payment process.\nTo ensure incoming documents are effectively screened, personnel with sufficient\nvendor payment experience and knowledge of regulatory procedures should be\nassigned to the document management section. At DFAS Kansas City, document\nscreening did not occur until the accounts payable technician attempted to enter\nthe document into CAPS(W). By not screening invoices and receiving reports\nupon receipt, payments could be delayed and interest paid when technicians\ndiscovered errors when entering the data into CAPS(W). As stated previously,\nonly 3 of the 10 invoices we traced through the payment process were entered\ninto CAPS(W) within 9 days of receipt. 5 C.F.R. Part 1315 requires that\nimproper invoices be returned to vendors within 7 days. Deficiencies detected in\nother payment documents should have resulted in those documents being returned\nto the originators. However, technicians were often reluctant to return\ndocuments. Delays in identifying deficiencies in invoices and receiving reports\ncould result in the payment of interest to vendors.\n\nPayment Processing. DFAS Kansas City had not ensured that quality reviews\nof supporting documents were fully performed by technicians on the three\naccounts payable teams who entered invoices and receiving reports into\nCAPS(W). In addition, certification officials were not organizationally\nindependent and did not always adequately review the documents supporting\nvendor payments.\n\n       Quality Reviews of Supporting Documents. Accounts payable\ntechnicians did not perform appropriate reviews to determine whether invoices\nand receiving reports complied with 5 C.F.R. Part 1315 requirements. Accounts\npayable technicians usually returned invoices for reasons such as missing\ndescriptions, missing contract numbers, and overbilling. However, the\ntechnicians seldom returned invoices with poor descriptions of goods and\nservices, that were inconsistent with contracts, or that had been altered. The\ntechnicians did not ensure that invoices and receiving reports met all 5 C.F.R.\nPart 1315 requirements. Technicians seldom questioned the need for required\n\n\n                                   29\n\x0cinformation missing on receiving reports or returned them for correction.\nFinding B discusses the reasons why payments in our sample were not properly\nsupported. Appendix D identifies the requirements in 5 C.F.R. Part 1315.\n\n       Certification of Payment Vouchers. Certification officials did not\nthoroughly review all payments and supporting documents to ensure that they\nwere accurate, proper, and correct for payment. Supporting documents were\noften missing some of the information required to make proper payments. In\naddition, certification officials were not organizationally independent.\n\n                Certifying Procedures. Certification officials did not always\nclosely review the documents supporting vendor payments to ensure that they\nwere proper. As discussed in finding B, many problems were identified with the\ninvoices, receiving reports, and obligating documents that supported vendor\npayments made by DFAS Kansas City. Our sample showed that 41 payments\nwere considered improper because the vendor was paid the incorrect amount or\nthe payment should not have been made based on the supporting documentation\nprovided. Certification officials did not detect the problems with the payments.\nDFAS Kansas City also used a sampling plan that was incomplete and not\nproperly approved to certify vendor payments under $2,500. To alleviate the\ncertification workload, certification officials used statistical sampling procedures\nfor examining a random number of payment vouchers scheduled for payment.\nDoD Regulation 7000.14-R, volume 5, chapter 33, \xe2\x80\x9cAccountable Officials and\nCertifying Officers,\xe2\x80\x9d August 1998, allowed for a prepayment sampling plan for\npayments provided the plan was approved by the Office of the Under Secretary\nof Defense (Comptroller) or a designee. GAO Policy and Procedures Manual,\nTitle 7, \xe2\x80\x9cFiscal Guidance,\xe2\x80\x9d May 18, 1993, limits this authority to payments\nunder $2,500. DFAS Kansas City had not requested nor received approval for\nits plan. The plan was based on information developed by DFAS Arlington.\nHowever, the plan was incomplete and not always followed. DFAS Kansas City\ndid not use appropriate sampling techniques and the results of the sampling were\nnot analyzed to determine whether the risk level remained acceptable or whether\ncertification of individual payments should be resumed. Although the use of\nstatistical sampling may be justified, DFAS Arlington needs to closely monitor\nthe development and use of statistical sampling plans by vendor payment offices.\nWe believe that a separate plan for sampling miscellaneous payments may need\nto be developed. Miscellaneous payments were subject to a higher risk of being\nimproperly or erroneously paid because of the lack of standard procedures for\nmaking properly supported miscellaneous payments, especially those missing\nobligation document numbers and invoice numbers.\n\n                Organizational Placement of Certification Officials.\nCertification officials were not organizationally independent. Certification\nofficials were the lead technicians and supervisors assigned to the accounts\npayable teams. Undue influence could be placed on technicians by lead\ntechnicians and supervisors. In August 2000, the DFAS Arlington Internal\nReview Office substantiated allegations of password sharing among technicians\non accounts payable teams and a certification official at DFAS Kansas City.\nInternal controls for separation of duties were circumvented when the supervisor\nasked for and obtained the passwords of her subordinates. Her actions allowed\none individual to be able to enter and approve payments. Although fraud was not\nfound, the potential existed. Certification officials should be removed from the\n\n\n                                     30\n\x0caccounts payable teams and reassigned to a separate section in the vendor\npayment office. Establishing a separate group of certification officials would\nminimize the potential for undue influence and allow for an independent review\nof all payments to ensure compliance with 5 C.F.R. Part 1315 requirements.\n\nReceiving Reports. DFAS Kansas City was not using an available CAPS(W)\nreport to obtain missing receiving reports. A significant cause of interest\npayments made by DFAS Kansas City was due to the inability to obtain proper\nreceiving reports from receiving activities at installations. As of October 24,\n2000, DFAS Kansas City had 527 invoices, valued at $4.97 million, that were\nmore than 30 days old, but had not been paid because of missing receiving\nreports. DFAS Kansas City did not have people designated to aggressively work\nwith receiving activities to obtain missing documents or to be a focal point to\nresolve problems identified in the payment process. Technicians stated that they\nhad other higher-priority work that took precedence. CAPS(W) report,\n\xe2\x80\x9cInvoices Without Receiving Reports,\xe2\x80\x9d should have been used to identify\ninvoices that had been entered into CAPS(W) but were missing receiving reports.\nThe report should have been generated weekly and sent to receiving activities.\nDFAS Kansas City had created a separate spreadsheet based on information from\nCAPS(W) for prevalidating payments. Although the spreadsheet was provided to\nfinancial managers, it was not sent to receiving activities. We selected 10\ninvoices on the CAPS(W) report, \xe2\x80\x9cInvoices Without Receiving Reports,\xe2\x80\x9d as of\nOctober 30, 2000, and contacted receiving activities as necessary. The review\ndetermined that DFAS Kansas City and Marine Corps receiving activities could\ndo more to make prompt and accurate payments.\n\n       \xe2\x80\xa2   We contacted Quantico Marine Corps Base, Quantico, Virginia, for\n           receiving reports for five invoices for monthly maintenance services\n           from October 1999 through August 2000. The receiving activity\n           provided us with a receiving report for the invoices covering services\n           from October 1999 through April 2000. After we provided the\n           receiving report to the accounts payable technician, the invoices were\n           paid with interest. As of April 17, 2001, a receiving report had not\n           been provided for services from May through August 2000.\n\n       \xe2\x80\xa2   DFAS Kansas City received five invoices between April 18 and 20,\n           2000, for receipt of goods. The receiving activity told us that a\n           receiving report had been sent to DFAS Kansas City. The copy faxed\n           to us indicated the receipt of some goods on April 12, 2000. We\n           informed the receiving activity that the receiving report did not meet\n           the requirements of a proper receiving report and asked them to send\n           in a more detailed receiving report. The Vendor Inquiry System\n           showed on February 17, 2001, that the invoices were paid on\n           February 7, 2001, without interest. The invoice receipt date was\n           January 16, 2001, and receipt and acceptance occurred on\n           December 12, 2000. Further analysis showed that DFAS Kansas City\n           returned the invoices to the vendor on January 2, 2001, because the\n           vendor had changed its name in June 2000. Since DFAS Kansas City\n           personnel had valid invoices that were date-stamped in April 2000 and\n           they failed to return them to the vendor within 7 days of receipt, they\n\n\n\n\n                                    31\n\x0c              should have recalculated the invoice receipt date based on the number\n              of days they held on to the invoices. The vendor was due about $100\n              in interest.\n\n    DFAS Kansas City and the Marine Corps need to work together to ensure that\n    receiving reports for goods and services are obtained promptly upon receipt and\n    acceptance. CAPS(W) report, \xe2\x80\x9cInvoices Without Receiving Reports,\xe2\x80\x9d should be\n    routinely used to identify and obtain missing receiving reports. Resolving unpaid\n    invoices should become more of a joint effort that is monitored closely to ensure\n    that prompt and accurate payments are made. DFAS Kansas City should have\n    individuals designated to review reports that indicate problems with documents\n    needed to support payments and work with customers to receive missing\n    information.\n\nManagement Oversight\n    Operational reviews directed by DFAS Arlington identified problems in vendor\n    payment operations at DFAS Kansas City. However, DFAS Kansas City did not\n    take appropriate actions in response to those previously identified problems. For\n    example, mailroom functions were not relocated to the centralized mailroom and\n    certification officials were able to make changes to vendor payment information.\n    Also, post-payment reviews were not routinely performed to determine whether\n    payments were properly supported and made correctly. Post-payment reviews of\n    payment vouchers would help to identify problems with making properly\n    supported vendor payments. DFAS needed to ensure that prompt corrective\n    actions were taken in response to recommendations of operational review teams.\n\nSummary\n    DFAS Kansas City had improved the segregation of duties by establishing a new\n    vendor payment structure and limiting access to CAPS(W). However, the\n    Director, Commercial Pay Services, needed to change the business structure and\n    practices at the DFAS Kansas City for making vendor payments to ensure that\n    documents are properly controlled, information in CAPS(W) is correct and\n    properly supported, and vendors are paid promptly and accurately. Emphasis\n    needs to be placed on determining whether supporting documents comply with all\n    requirements. If proper invoices, receiving reports, and obligation documents\n    are not received, prompt actions must to be taken to return the documents to\n    originators and request proper documentation. DFAS Kansas City and the\n    Marine Corps must make a concerted effort to ensure that proper receiving\n    reports for goods and services are obtained promptly upon receipt and\n    acceptance. To maintain proper segregation of duties, DFAS Kansas City should\n    make sure that no one individual can enter or direct the entry of all data needed\n    to make payments. Certification officials should be organizationally independent\n    to ensure that all payments are accurate, proper, and legal. Responsive actions\n    need to be taken to correct previously identified problems and payment vouchers\n    should be reviewed to identify problems with making properly supported\n\n\n\n\n                                       32\n\x0c    payments. DFAS must also develop a comprehensive program to provide\n    personnel assigned to the vendor payment office with appropriate training on the\n    regulatory requirements for making properly supported payments.\n\nRecommendations, Management Comments, and Audit\n  Response\n    C. We recommend that the Director, Commercial Pay Services, change the\n    business structure and practices at the Defense Finance and Accounting\n    Service Kansas City for making vendor payments using the Computerized\n    Accounts Payable System for Windows. Specifically:\n\n         1. Receive and date-stamp all incoming documents supporting vendor\n    payments in a central location outside the vendor payment office.\n\n    DFAS Comments. The Director, Commercial Pay Services, concurred and\n    stated that the receipt and date-stamping of incoming hard-copy payment\n    documents was moved to the centralized mailroom.\n\n           2. Establish a document management section to become the focal\n    point for receipt, screening, and control of all documents supporting vendor\n    payments.\n\n    DFAS Comments. The Director, Commercial Pay Services, concurred and\n    stated that DFAS will develop a standard organization structure for all vendor\n    payment sites. The new structure will incorporate organization and system\n    controls that ensure adequate separation of duties and controls over documents.\n\n           3. Segregate the ability to enter information related to invoices and\n    receiving reports into the Computerized Accounts Payable System for\n    Windows from the ability to enter purchase order data. Alternatively,\n    segregate the ability to enter invoices, receiving reports, and obligating\n    documents from the ability to compute payments.\n\n    DFAS Comments. The Director, Commercial Pay Services, concurred and\n    stated that DFAS will review system access profiles in CAPS(W) to ensure that\n    they provide adequate separation of duties.\n\n          4. Develop standards for entering invoices and receiving reports into\n    the Computerized Accounts Payable System for Windows.\n\n    DFAS Comments. The Director, Commercial Pay Services, concurred and\n    stated that DFAS will modify employees\xe2\x80\x99 standards to address the quantity and\n    quality of invoices and receiving reports entered into CAPS(W).\n\n            5. Organizationally separate certification officials from the accounts\n    payable teams. Establish a separate section within the vendor payment\n    office for certification officials who ensure that payments are legal, proper,\n    and correct before they are certified.\n\n\n\n                                       33\n\x0cDFAS Comments. The Director, Commercial Pay Services, concurred and\nstated that DFAS will develop a standard organization structure for use by all\nvendor payment sites. The new structure will ensure increased controls over\ncertification duties.\n\n        6. Certify individual vendor payments until a sampling plan for\ncertifying a representative sample of contract and miscellaneous payments is\ndeveloped and approved.\n\nDFAS Comments. The Director, Commercial Pay Services, partially concurred\nand stated that DFAS will use the DFAS Arlington statistical sampling guidance\nthat is currently in coordination for performing pre- and post-payment reviews.\n\nAudit Response. The DFAS comments were partially responsive. The\nstatistical sampling guidance developed by DFAS Arlington has not been\napproved by the Office of the Under Secretary of Defense (Comptroller). Until\nDFAS Kansas City has an approved statistical sampling plan, DFAS Kansas City\nshould manually certify all payment vouchers. We request that DFAS reconsider\nits position and provide additional comments to the final report.\n\n       7. Designate individuals to review reports that indicate problems with\ndocuments needed to support payments and work with customers to receive\nmissing information. Establish a reports and reconciliation section to handle\npayment anomalies and reconcile system reports.\n\nDFAS Comments. The Director, Commercial Pay Services, concurred and\nstated that supervisors review and disseminate reports identifying invoices\nmissing receiving reports and obligations to the Marine Corps Liaison Office.\nSupervisors will work with the Marine Corps Liaison Office to obtain missing\ndocuments.\n\nAudit Response. The DFAS comments were generally responsive. The\nstandard organization structure that DFAS is developing should include a reports\nand reconciliation section.\n      8. Perform monthly post-payment voucher reviews to ensure that\nvendor payments are properly supported and to identify problem areas.\n\nDFAS Comments. The Director, Commercial Pay Services, partially concurred\nand stated that post-payment reviews will revert to monthly if the quarterly\nreviews identify an unacceptable level of compliance.\n\nAudit Response. The DFAS comments were responsive. We agree that\nquarterly reviews should be performed only if they show that a very high\npercentage of the payments are properly supported and made correctly.\nOtherwise, more frequent reviews would be appropriate.\n\n      9. Develop a comprehensive training program for making properly\nsupported vendor payments.\n\nDFAS Comments. The Director, Commercial Pay Services, concurred and\nstated that DFAS Kansas City developed a new employee training program and\n\n\n                                    34\n\x0cprovided refresher training to vendor payment personnel. The refresher training\ncovered the problem areas identified during the audit. The training program will\nbe updated as needed.\n\n\n\n\n                                   35\n\x0cAppendix A. Audit Process\n\nScope\n    Work Performed. The controls associated with CAPS(W) and its computation\n    of vendor payments at DFAS Kansas City were evaluated including the\n    procedures that DFAS Kansas City used to make vendor payments to\n    Marine Corps customers. During FY 2000, 75,861 vendor payments, valued at\n    about $1.2 billion were made by DFAS Kansas City using CAPS(W). A random\n    sample of 208 of the 17,983 payments made from May 1 through July 31, 2000,\n    was reviewed. We considered the organizational and system changes made by\n    DFAS Kansas City since July 31, 2000.\n\n    General Accounting Office High-Risk Area. GAO identified several high-risk\n    areas in the DoD. This report provides coverage of the Defense Financial\n    Management and Information Management and Technology high-risk areas.\n\n\nMethodology\n    To assess controls over CAPS(W), we reviewed the system access lists,\n    compared the access levels of employees to their job position, observed system\n    access by users, and discussed procedures for controlling and changing\n    passwords with system personnel. We also reviewed system manuals and\n    discussed the functionality of CAPS(W) with systems personnel at DFAS Kansas\n    City and Indianapolis.\n\n    From data files obtained from DFAS Kansas City, we randomly selected\n    208 vendor payments made using CAPS(W) from May 1 through July 31, 2000.\n    See Appendix C for the sampling methodology. From October 2000 through\n    April 2001, we reviewed the operations and support for the payments made at\n    DFAS Kansas City to determine whether payments were properly authorized,\n    approved, and supported. Obligation documents, invoices, receiving reports,\n    and payment vouchers were reviewed for accuracy and propriety. We compared\n    payment vouchers to source documents to determine whether payments were\n    properly supported, in the correct amount, cited proper appropriation data, based\n    on the correct invoice receipt dates and receipt and acceptance dates, were\n    properly certified, and sent to the correct vendor via the required means of\n    delivery.\n\n    We also reviewed guidance for making vendor payments and compared guidance\n    issued by DFAS Arlington and Kansas City with guidance in 5 C.F.R.\n    Part 1315, the FAR; DFARS subpart 232.9; and DoD Regulation 7000.14-R,\n    volumes 5 and 10. We contacted selected receiving activities to determine\n    whether they received goods and services for which payments had been made.\n    We also contacted several vendors to determine the status of invoices and\n    whether payments had been received.\n\n\n\n                                       36\n\x0c    We assessed improvements in vendor payment operations by assessing changes in\n    guidance and the actions taken by DFAS Kansas City and the Marine Corps in\n    response to prior reviews of vendor payment operations. We held discussions\n    with key DFAS Kansas City personnel and Marine Corps financial managers.\n    We also determined actions taken to resolve older unpaid invoices by\n    judgmentally selecting 10 invoices from a listing of unpaid invoices. We\n    determined the status of the invoices, identified problems that delayed the\n    payment of the invoices, and for those invoices that were paid as of the date of\n    our visit, we reviewed the documents supporting the payments.\n\n    Use of Computer-Processed Data. Although we relied on computer-processed\n    data from CAPS(W), we did not evaluate the adequacy of all the system\xe2\x80\x99s\n    general and application controls. We determined that password controls over\n    CAPS(W) were not adequate and data entered at one location could be altered or\n    removed by individuals at other locations. However, we established data\n    reliability for the payments we reviewed by comparing data output to source\n    documents and through discussions with vendors and receiving activities. Our\n    tests disclosed that the data were sufficiently reliable to support the audit\n    conclusions and recommendations.\n\n    Audit Type, Dates, and Standards. This financial-related audit was performed\n    from October 2000 through May 2001. We did our work in accordance with\n    generally accepted Government auditing standards except that we were unable to\n    obtain an opinion on our system of quality control. The most recent external\n    quality control review was withdrawn on March 15, 2001, and we will undergo a\n    new review.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available on request.\n\n\nManagement Control Program Review\n    DoD Directive 5010.38 \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26,\n    1996, and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program\n    Procedures,\xe2\x80\x9d August 28, 1996, require DoD organizations to implement a\n    comprehensive system of management controls that provides reasonable\n    assurance that programs are operating as intended and to evaluate the adequacy\n    of the management controls.\n\n    Scope of Review of the Management Control Program. We reviewed the\n    adequacy of management controls over vendor payments made using CAPS(W).\n    Specifically, we reviewed management controls over vendor payments at DFAS\n    Kansas City. We also reviewed management\xe2\x80\x99s self-evaluation of those controls.\n\n    Adequacy of Management Controls. A material management control weakness\n    as defined by DoD Instruction 5010.40 was identified in controls associated with\n    making vendor payments using CAPS(W). Management controls were not\n    adequate to control access to CAPS(W) and to ensure that all vendor payments\n    were properly supported and made for correct amounts. Recommendations A.,\n\n\n\n                                       37\n\x0cB., and C., if implemented, will improve controls over vendor payments. A\ncopy of the report will be provided to the senior official in charge of management\ncontrols in DFAS.\n\nAdequacy of Management\xe2\x80\x99s Self-Evaluation. DFAS Kansas City identified\nvendor payments as an assessable unit and, in our opinion, correctly identified\nthe risk associated with vendor payments as high. DFAS Kansas City reported\nproblems with controls over the processing of CAPS(W) payments as material\nmanagement control weaknesses in its FY 1999 Annual Statement of Assurance.\nDFAS Kansas City reported in its FY 2000 Annual Statement of Assurance that\nit had improved controls over the processing of CAPS(W) payments, but\nreported a lack of internal controls over access to CAPS(W) as a material\nmanagement control weakness. DFAS Kansas City indicated that resolution of\nthe system access problems was outside its control and requested assistance in\nresolving them from DFAS Arlington. We disagree with the assertions made in\nthe FY 2000 Annual Statement of Assurance that DFAS Kansas City had\ncorrected control weaknesses in vendor payment operations and taken all the\nactions it could to improve access to CAPS(W). As highlighted in this report,\nthe management control weaknesses related to CAPS(W) in the FYs 1999 and\n2000 Annual Statements of Assurance still exist. Additional system weaknesses\nalso exist that have not been reported. DFAS Kansas City should either correct\nidentified material control weaknesses related to making payments using\nCAPS(W) or report them as a material management control weakness.\n\n\n\n\n                                    38\n\x0cAppendix B. Prior Coverage\n    During the last 5 years, GAO and the Inspector General, DoD, have issued\n    several audit reports discussing issues related to vendor payments.\n\nGeneral Accounting Office\n    GAO Report No. GAO-01-309 (OSD Case No. 3029), \xe2\x80\x9cExcess Payments and\n    Underpayments Continue to be a Problem at DoD,\xe2\x80\x9d February 22, 2001\n\n    GAO Report No. GAO/AIMD-00-10 (OSD Case No. 1919), \xe2\x80\x9cIncreased\n    Attention Needed to Prevent Billions in Improper Payments,\xe2\x80\x9d October 29, 1999\n\n    GAO Report No. GAO/AIMD-98-274 (OSD Case No. 1687), \xe2\x80\x9cImprovements\n    Needed in Air Force Vendor Payment Systems and Controls,\xe2\x80\x9d September 28,\n    1998\n\n    GAO Report No. GAO/OSI-98-15 (OSD Case No. 1687-A), \xe2\x80\x9cFraud by an\n    Air Force Contracting Official,\xe2\x80\x9d September 23, 1998\n\nInspector General, DoD\n    Inspector General, DoD, Report No. D-2000-139, \xe2\x80\x9cControls Over the Integrated\n    Accounts Payable System,\xe2\x80\x9d June 5, 2000\n\n    Inspection General, DoD, Report No. 97-052, \xe2\x80\x9cVendor Payments - Operation\n    Mongoose, Fort Belvoir Defense Accounting Office and Rome Operating\n    Location,\xe2\x80\x9d December 23, 1996\n\n\n\n\n                                      39\n\x0cAppendix C. Statistical Sampling Methodology\n\nSampling Plan\n    Sampling Purpose. The purpose of the statistical sampling plan was to estimate\n    the number of vendor payments that did not have proper documentation by type\n    of payment and type of document. The statistical sampling plan was also used\n    to estimate the number of improper payments, once it was determined that a\n    payment was not properly supported. The payments were reviewed to\n    determine whether documentation was adequate and complied with 5 C.F.R.\n    Part 1315 requirements.\n\n    Universe Represented. DFAS Kansas City provided a database of vendor\n    payments made using CAPS(W) from May 1 through July 31, 2000. The file\n    contained records on 17,987 vendor payments. The total dollar value of the\n    vendor payments in the population was $290.6 million.\n\n    Sampling Design. The sampling design used to determine whether or not the\n    vendor payments had proper documentation was a stratified attribute design.\n    The population was divided into three strata: payments valued at less than\n    $2,500, payments valued at least $2,500 but less than $1 million, and payments\n    valued at $1 million or more. A total of 208 payments (101 contractual and 107\n    miscellaneous) were randomly selected: 130 from the first stratum, 60 from the\n    second stratum, and 18 from the third stratum.\n\nSampling Results\n    Table C-1 identifies the statistical estimates of vendor payments that were not\n    properly supported by type of payment.\n\n                  Table C-1. Payments Not Properly Supported\n                         (99-Percent Confidence Level)\n\n     Type of           Lower Bound           Point Estimate       Upper Bound\n     Payment\n\n    Contractual            5,921                  7,511               9,100\n\n   Miscellaneous           7,457                  9,094               10,731\n\n\n    We are 99-percent confident that from 5,921 to 9,100 contractual vendor\n    payments were not properly supported. Also, we are 99-percent confident that\n    from 7,457 to 10,731 miscellaneous vendor payments were not properly\n\n\n\n                                        40\n\x0csupported. Table C-2 identifies the statistical estimates of contractual vendor\npayments that were not properly supported by document type.\n\n               Table C-2. Contractual Payments Not Properly\n                       Supported by Document Type\n                       (99-Percent Confidence Level)\n\n  Type of\n Document           Lower Bound          Point Estimate       Upper Bound\n\n  Invoices             1,671                  2,916               4,160\n\n Receiving             5,727                  7,315               8,904\n  Reports\n\n Contracts              (17)                   604                1,225\n\n\nWe are 99-percent confident that from 1,671 to 4,160 vendor payments were not\nproperly supported due to improper invoices. We are 99-percent confident that\nfrom 5,727 to 8,904 vendor payments were not properly supported due to\nimproper receiving reports. The estimates of vendor payments that were not\nproperly supported by contract passes through zero; therefore, the estimate for\ncontracts is not considered significantly different than zero and will not be used\nin the report. We are also 99-percent confident that from 933 to 3,053\npayments were made using receiving reports containing inaccurate dates. Each\nof the individual estimates is projected at the 99-percent confidence level.\nHowever, taking a conservative approach, reviewing each of the 10 estimates as\nan independent projection, we estimate the overall confidence level for all 10\nestimates simultaneously is approximately 90-percent.\n\nTable C-3 identifies the statistical estimates of miscellaneous vendor payments\nthat were not properly supported by document type.\n\n               Table C-3. Miscellaneous Payments Not Properly\n                        Supported by Document Type\n                        (99-Percent Confidence Level)\n\n    Type of\n   Document           Lower Bound            Point Estimate       Upper Bound\n\n    Invoices               (64)                   463                  990\n\n   Receiving              6,985                  8,614               10,244\n    Reports\n\n  Obligation               251                   1,032                1,813\n  Documents\n\n\n                                    41\n\x0c We are 99-percent confident that from 6,985 to 10,244 vendor payments were\n not properly supported due to improper receiving reports. We are 99-percent\n confident that from 251 to 1,813 vendor payments were not properly supported\n due to improper obligation documents. The estimates of vendor payments that\n were not properly supported by invoices passes through zero; therefore, the\n estimate for contracts is not considered significantly different than zero and will\n not be used in the report. Each of the individual estimates is projected at the\n 99-percent confidence level. However, taking a conservative approach,\n reviewing each of the 10 estimates as an independent projection, we estimate the\n overall confidence level for all 10 estimates simultaneously is approximately\n 90-percent.\n\n Table C-4 identifies the statistical estimates of contractual and miscellaneous\n payments that were improper payments.\n\n                     Table C-4. Improper Payments\n                      (99-Percent Confidence Level)\n\n  Type of           Lower Bound            Point Estimate       Upper Bound\n  Payment\n\n Contractual            1,617                  2,845                4,073\n\nMiscellaneous            190                    926                 1,661\n\n\n We are 99-percent confident that from 1,617 to 4,073 contractual payments\n were improper payments. Also, we are 99-percent confident that from 190 to\n 1,661 miscellaneous payments were improper payments. Improper payments\n were payments that should not have been made or were made for incorrect\n amounts. Specifically, improper payments included payments for unsupported\n or inadequately supported claims, overpayments, and underpayments.\n\n\n\n\n                                     42\n\x0cAppendix D. Guidance on Supporting\n            Documentation\n   The principal guidance used for making payments to vendors is the PPA, as\n   implemented by OMB in 5 C.F.R. Part 1315, \xe2\x80\x9cPrompt Payment; Final Rule,\xe2\x80\x9d\n   September 29, 1999. The requirements for supporting documentation are\n   further defined in FAR subpart 32.9, \xe2\x80\x9cPrompt Payment;\xe2\x80\x9d DFARS subpart\n   232.9, \xe2\x80\x9cPrompt Payment;\xe2\x80\x9d and DoD Regulation 7000.14-R, volume 10,\n   \xe2\x80\x9cContract Payment Policy and Procedures,\xe2\x80\x9d November 1999.\n\n   On August 28, 2000, a proposed rule was published for comment in the Federal\n   Register \xe2\x80\x9cFederal Acquisition Regulation; Prompt Payment and the Recovery of\n   Overpayment; Proposed Rule.\xe2\x80\x9d The proposed change revises the FAR to\n   incorporate 5 C.F.R. Part 1315 and implements a GAO recommendation to\n   require contractors who have been overpaid to notify contracting officers of\n   overpayments. The FAR council must issue a Federal Acquisition Circular to\n   change the FAR. DFARS subpart 232.9, also has not been changed.\n\n   In Inspector General, DoD, Report No. D-2000-139, \xe2\x80\x9cControls Over the\n   Integrated Accounts Payable System,\xe2\x80\x9d June 5, 2000, we recommended that\n   DoD Regulation 7000.14-R, volume 10, be amended to fully comply with\n   5 C.F.R. Part 1315 requirements and include standardized rules for making\n   properly supported miscellaneous payments. DoD Regulation 7000.14-R,\n   volume 10, has not yet been changed. The Under Secretary of Defense\n   (Comptroller) stated that DoD Regulation 7000.14-R, volume 10, would not be\n   changed until 5 C.F.R. Part 1315 is incorporated in the FAR.\n\n   DFAS Kansas City issued revised vendor pay standard operating procedures in\n   October 2000. However, the DFAS Kansas City guidance did not include the\n   requirements in 5 C.F.R. Part 1315.\n\n   Invoices. 5 C.F.R. Part 1315 requires that the vendor send an invoice to the\n   designated billing office specified in the contract when goods are delivered or\n   services performed. The designated billing office is required to immediately\n   date-stamp the invoice and perform a review to determine whether the invoice is\n   proper for payment. If the invoice is determined to be proper, it should be sent\n   to the payment office for entry into CAPS(W) and payment. If determined to be\n   improper, the invoice should be returned to the vendor within 7 days of receipt\n   (for most invoices), identifying all defects that prevented payment and\n   requesting that the vendor send a clearly marked corrected invoice to the\n   designated billing office for payment.\n\n   Specifically, 5 C.F.R. Part 1315.9, \xe2\x80\x9cRequired Documentation,\xe2\x80\x9d states that:\n          (b) The following correct information constitutes a proper invoice and\n          is required as payment documentation:\n\n          (1) Name of vendor;\n\n\n\n                                           43\n\x0c              (2) Invoice date;\n\n              (3) Government contract number, or other authorization for delivery\n                  of goods or services;\n\n              (4) Vendor invoice number, account number, and/or any other\n                  identifying number agreed to by contract;\n\n              (5) Description (including for example, contract line/subline\n                  number), price, and quantity of goods and services rendered;\n\n              (6) Shipping and payment terms (unless mutually agreed that this\n                  information is only required in the contract);\n\n              (7) Taxpayer Identification Number (TIN), unless agency procedures\n                  provide otherwise;\n\n              (8) Banking information, unless agency procedures provide\n                  otherwise, or except in situations where the EFT requirement is\n                  waived under 31 CFR 208.4;\n\n              (9) Contact name (where practicable), title and telephone number;\n\n              (10) Other substantiating documentation or information required by\n                   the contract.\n\nIn addition to these requirements, the proposed change to the FAR specifies EFT\nrequirements and states that contractors should assign an identification number to each\ninvoice.\n\nDoD Regulation 7000.14-R, volume 10, allows exceptions to requirements for a valid\ninvoice. DoD Regulation 7000.14-R, volume 10, states that it is not necessary for an\ninvoice to be free of defects in order for it to be proper and create a valid demand on\nthe Government; the approving activity determines whether a valid demand exists.\nThese exceptions are contrary to 5 C.F.R. Part 1315 and FAR requirements. The\nchapters of DoD Regulation 7000.14-R have not been updated since 1996 and state that\nif inconsistencies exist between the FAR and the regulation, the FAR controls. In\nassessing whether an invoice was proper, we used 5 C.F.R. Part 1315 requirements.\nSpecifically, invoices were considered improper if they did not contain a contract or\nobligating document number, or did not adequately describe what was purchased or the\ndescription was inconsistent with the contract. The FAR requires that an invoice that is\nmissing required data be returned to the vendor within 7 days of receipt, which can\nmake the needed corrections and resubmit a clearly marked corrected invoice.\nConsequently, invoices were also considered improper if they were altered.\n\nReceiving Reports. 5 C.F.R. Part 1315 requires that receipt and acceptance be\npromptly recorded at the time of delivery of goods or completion of services.\nReceiving activities were required to submit a receiving report immediately upon each\ndelivery of goods or completion of services unless the contract stated that partial\npayment was not authorized. Receiving activities were to forward a proper receiving\n\n\n\n                                              44\n\x0creport to the payment office by the fifth working day after acceptance. 5 C.F.R.\nPart 1315.9 states that:\n              (c) The following information from receiving reports, delivery tickets,\n              and evaluated receipts is required as payment documentation:\n\n              (1) Name of vendor;\n\n              (2) Contract or other authorization number;\n\n              (3) Description of goods or services;\n\n              (4) Quantities received, if applicable;\n\n              (5) Date(s) goods were delivered or services were provided;\n\n              (6) Date(s) goods or services were accepted;\n\n              (7) Signature (or electronic alternative when supported by\n                  appropriate internal controls), printed name, telephone number,\n                  mailing address of the receiving official, and any additional\n                  information required by the agency.\n\nThe proposed change to the FAR basically restates existing requirements\nfor receiving reports. The proposed change states that:\n              (c) Authorization to pay. . . .The receiving report or other\n              Government documentation authorizing payment must, as a minimum,\n              include the following:\n\n              (1) Contract number or other authorization for supplies delivered or\n                  services performed.\n\n              (2) Description of supplies delivered or services performed.\n\n              (3) Quantities of supplies received and accepted or services\n                  performed, if applicable.\n\n              (4) Date supplies delivered or services performed.\n\n              (5) Date that the designated Government Official -\n\n                       (i)      Accepted the supplies or services; or\n\n                       (ii)     Approved the progress payment request, if the\n                                request is being made under the clause at 52.232-5,\n                                Payments      Under    Fixed-Price     Construction\n                                Contracts, or the clause at 52.232-10, Payment\n                                Under Fixed-Price Architect-Engineering Contracts.\n\n\n\n\n                                                45\n\x0c       (6) Signature, printed name, title, mailing address, and telephone\n           number of the designated Government official responsible for\n           acceptance or approval functions.\n\nDoD Regulation 7000.14-R, volume 10, does not specify what a receiving\nreport must contain to properly support a payment. Most items in the sample\nwere missing the dates of acceptance and required signature information.\n\nContracts. To properly support a payment, the paying office must have a\nsigned contract or other authorization document against which payment is being\nmade. 5 C.F.R. Part 1315.9 states that:\n       (a) The following information from the contract is required as\n       payment documentation:\n\n       (1) Payment due date(s) as defined in Sec. 1315.4(g);\n\n       (2) A notation in the contract that Partial payments are prohibited, if\n           applicable;\n\n       (3) For construction contracts, specific payment due dates for\n           approved progress payments or milestone payments for completed\n           phases, increments, or segments of the project;\n\n       (4) If applicable, a statement that the special payment provisions of\n           the Packers and Stockyard Act of 1921 (7 U.S.C. 182(3)), or the\n           Perishable Agricultural Commodities Act of 1930 (7 U.S.C.\n           499a(4)), or Fish and Seafood Promotion Act of 1986 (16 U.S.C.\n           4003(3)) shall apply;\n\n       (5) Where considered appropriate by the agency head, the specified\n           acceptance period following delivery to inspect and/or test goods\n           furnished or to evaluate services performed is stated;\n\n       (6) Name (where practicable), title, telephone number, and complete\n           mailing address of officials of the Government\xe2\x80\x99s designated\n           agency office, and of the vendor receiving the payments;\n\n       (7) Reference to requirements under the Prompt Payment Act,\n           including the payment of interest penalties on late invoice\n           payments (including progress payments under construction\n           contracts);\n\n       (8) Reference to requirements under the Debt Collection\n           Improvement Act (Pub. L. 104-134, 110 Stat. 1321) including the\n           requirement that payments must be made electronically except in\n           situations where the EFT requirement is waived under 31 CFR\n           208.4. Where electronic payment is required, the contract will\n           stipulate that banking information must be submitted no later than\n           the first request for payment.\n\n\n\n\n                                         46\n\x0cMany contracts were missing key elements such as payment terms, a valid\nDUNS number, or a valid CAGE code. Although the lack of this information\ndid not make the contract improper, it made proper payment difficult. For\nexample, contracts should have contained a DUNS number or CAGE code\nbecause one was needed to locate EFT information for payment in the\nContractor EFT database.\n\n\n\n\n                                 47\n\x0cAppendix E. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\n  Deputy Under Secretary of Defense (Acquisition Reform)\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nCommandant, United States Marine Corps\n  Deputy Chief of Staff for Installations and Logistics\nNaval Inspector General\n  Deputy Naval Inspector General for Marine Corps Matters\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Finance and Accounting Service\n   Director, Commercial Pay Services\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\n\n\n\n                                          48\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member (cont\xe2\x80\x99d)\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         49\n\x0c\x0cUnder Secretary of Defense for\nAcquisition, Technology, and Logistics\nComments\n\n\n\n\n                   51\n\x0c52\n\x0cDefense Finance and Accounting Service\nComments\n\n\n\n\n                   53\n\x0c54\n\x0c55\n\x0c56\n\x0c57\n\x0c58\n\x0c59\n\x0cAudit Team Members\nThe Finance and Accounting Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Inspector General,\nDoD, who contributed to the report are listed below.\n\nPaul J. Granetto\nRichard B. Bird\nMarvin L. Peek\nCarmelo G. Ventimiglia\nGeorge C. DeBlois\nMichelle D. Pippin\nRebecca L. Niemeier\nLusk F. Penn\n\x0c'